Apparently FAQ #5362 was not good enough and has been changed again. In addition to some additional background information, the “if the data can be queried” language has returned as a qualifier regarding digital recordings. See my post on this for additional information.
Of course these recordings can be searched. There are all sorts of commercial and open source tools available for search audio recordings.
All this is going to do in my opinion is cause my clients to use this as an out for not doing the right thing regarding their audio recordings.
PCI Guru 
Hey PCI Guru,
We’re a cloud-based contact center looking to become PCI Compliant. I have the following quick questions for you:
1. Do we need to fill SAQ D as a service provider, or SAQ C-VT as a virtual center?
2. If we are currently not working with a client who requires PCI Compliancy, but are looking to attract such clients, do we need to comply with the Level 2 requirements that they insist on in advance?
Thanks!
Best,
Yavor
You are a service provider, so you either do a full assessment and create a Report On Compliance (ROC) or fill out SAQ D. The other SAQs are only for merchants.
Service providers such as yourself would have trouble determining whether in fact you have crossed the line from Level 2 to a Level 1 service provider unless you have access to know how many transactions your customer(s) process. Regardless of level, as a service provider wishing to provide services to customers that require PCI compliance, you should have been through the PCI assessment process before signing on a client and you should be PCI compliant. Any customers should be asking you for a copy of your Attestation Of Compliance (AOC) as part of their due diligence and vendor management processes.
It’s not that companies cannot use a service provider that is not PCI compliant, it’s just a whole lot easier on them and you.
(Disclaimer: I work for Veritape. We provide PCI compliant call recording systems to contact centres.)
As an update to the above discussion, you may be interested to know that we have just launched Veritape CallGuard – a generic ‘bolt-on’ which brings full PCI DSS compliance to *any* existing call recording system. Customers keep their existing telephony, call recorder, CRM systems, payment processes and (critically) payment provider. _Nothing_ changes in a customer’s critical IT and telephony systems, and PCI compliance for call recording is achieved incredibly quickly.
Veritape CallGuard also dramatically reduces the potential for internal data theft, since customers never tell their card details to a contact centre agent, and the agent never sees the card details on screen.
For more information, please see our blog post announcing the launch, here: http://www.veritape.com/2010/04/veritape-callguard-brings-pci-dss-compliance-to-any-call-recording-system/
Emma.
Hi,
With the recent changes in the PCI’s FAQ on call recording in contact centres, Veritape has written a white paper for companies seeking to understand the ramifications for them.
The FAQ in question is: ‘Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?’
Having clarified the wording in January, it looked as if the PCI SSC had finally established a clear definition of what constitutes PCI compliance in call recording. However, less than a month later, the wording was revised again, leaving companies who record telephone conversations and handle sensitive payment card data potentially confused.
If you’re interested in reading a little more, please do so here http://www.veritape.com/2010/02/pci-dss-compliant-call-recording-in-call-centres-latest-changes-to-faq-by-pci-ssc-on-18-feb-2010, where you can also request the white paper titled: ‘PCI SSC update on call recording and call centres’.
Thanks,
Emma
None of those are going to be any use against an audio file.
I’m looking at some voice to text services at the moment to see the viability of extracting card data from audio files. But the SSC believes there are easily available tools to do this. I haven’t found one that works reliably yet.
G.
What tools?
I have read many posts now about tools that can extract credit card data from a voice recording.
Please proide links or names of products.
G.
See this posting on the SPSP forum.
http://forum.paymentsecuritypros.com/showthread.php?t=1829
I did not see any tools specifically related to voice recordings unless you are suggesting that you need to run a recording through a voice-text engine first..
Sorry. I just assumed that everyone would just Google for audio search engines. That said, there are a bunch of them through the Internet as well as commercial solutions. Any of which can be used to search call recordings for credit card information. And that is the problem. There are all sorts of solutions available that can be used to search call recordings from call center systems which is why the PCI SSC changed their guidance on digital call center recordings.