Here is a question that keeps coming up. The PCI SSC issued article number 5362 in their FAQ site about two years ago. I am not going to quote it all here, but I am going to discuss the key points of this clarification. Hopefully this post will clear this up once and for all.
The most important part of the clarification is that it only applies to call centers that record operator conversations with customers.
The second biggest point of clarification is that ALL call center audio recordings are in scope. As such, those audio recordings must be protected to the same level as any digital data. This includes security measures such as encryption, access based on business need and other PCI recommended security measures for protecting cardholder data (CHD).
The final largest point the clarification makes is that this clarification only applies to retention of CVV2, CVC2, CAV2 or CID data in the call center’s audio recordings even though requirement 3.2.2 states that CVV2, CVC2, CAV2 or CID data must not be retained under any circumstances. However, there are some strings attached in allowing CVV2, CVC2, CAV2 or CID data to be retained in the audio recordings.
- The information contained in the audio recordings must be protected according to all applicable PCI DSS requirements. This includes meeting requirement 3.4 (encryption, hashing, etc.), as well as minimizing access to the recordings, logging of access to each recording and other related PCI DSS requirements in sections 1, 2 and 3 of the PCI DSS. Compensating controls for achieving these requirements is allowed for call center audio recordings if the PCI DSS requirements cannot be achieved.
- If a commercially available solution exists to purge the cardholder data from the audio recordings, the cardholder data MUST be purged. If the CHD is purged, then only those requirements in 1.1 need to be applied to the audio files. This means that if your call center application has the ability to purge CHD, you must be running that purge capability at least daily. Even if that purge capability is an extra add-on to your call center application, you must purchase it and you must use it.
- The audio files can not be programmatically searched or queried for the cardholder data. There are applications that can search certain types of digital audio recordings that need to not be present anywhere on the organization’s systems. In addition, there are applications that convert audio files to text transcripts. Sometimes these applications are provided as part of the call center application suite. Either way, text transcription of audio recordings is not allowed.
- If audio recordings are backed up to other electronic media, the audio recordings must be encrypted on the backup media.
I hope you now understand this important clarification.
UPDATE: On January 22, 2010, the PCI SSC issued a new clarification regarding call recordings containing CVV/CVC/CID.
PCI Guru 
Hi PCI Guru,
In a call centre where card payments are taken over the phone. If calls are not recorded, or if they are and the card info is prevented from being recorded using pause/resume, is the phone system itself in PCI DSS scope?
My initial thought is that the phone system would be in scope because credit card info is traveling through the phone system in voice form. However, so far, what I’ve read suggests the phone system is only in scope if it records the card data.
If the phone system is VoIP, you are correct that the phone system is in-scope, whether calls are recorded or not, because VoIP is just voice over Ethernet. So the Call Managers and all telephones (physical or soft) are also in-scope because they are all connected.
Thanks PCIGuru
Thank you for your comments Emma. In regards to your first question, it would be nice to be able to avoid such information in any recording, but that is just not realistic. Unfortunately not every call center will have the budget to introduce new technology like yours into the mix. As a result, for at least the time being, call centers will have to have an option to handle CHD in their call recordings without incurring additional expense. However, as time goes on, call centers will be expected to deal with this situation by adopting the necessary technology to remove that information from their recordings.
In regards to your second question, your solution is exactly what the PCI SSC considers ‘commercially viable’. Based on my understanding, the PCI SSC was trying to keep call centers away from the more sophisticated products that supposedly go through audio recordings searching for key words or phrases such as ‘credit card number’ or ‘CVV’ and the like and then supposedly get rid of the sensitive information. I have been through a number of product demonstrations of these solutions and they work really slick in the demonstration but are a nightmare to implement and make work in the real world.
Hi PCI Guru,
Two points of response for you. (Disclosure first: I work for a business, Veritape, which is a provider of PCI DSS compliant call recording systems.)
1. In our view, the only way to comply with these regs is to simply _not_ store the senstive authentication data in the recordings in the first place. There are a couple of ways to do that, one being listed here: http://www.veritape.com/our-product/compliance/pci-dss-call-recording/.
2. The ‘commercially reasonable’ phrase in the PCI SSC article is one which I find interesting. Veritape gets many questions from its customers along the lines of “what IS commercially reasonable?”. What are your thoughts on that?
Interested to hear your thoughts,
Emma Jenkins
Veritape