9 Responses to “Call Center FAQ Changes – AGAIN”

  1. 1 Yavor
    April 5, 2013 at 9:15 AM

    Hey PCI Guru,

    We’re a cloud-based contact center looking to become PCI Compliant. I have the following quick questions for you:
    1. Do we need to fill SAQ D as a service provider, or SAQ C-VT as a virtual center?
    2. If we are currently not working with a client who requires PCI Compliancy, but are looking to attract such clients, do we need to comply with the Level 2 requirements that they insist on in advance?



    • April 5, 2013 at 10:32 AM

      You are a service provider, so you either do a full assessment and create a Report On Compliance (ROC) or fill out SAQ D. The other SAQs are only for merchants.

      Service providers such as yourself would have trouble determining whether in fact you have crossed the line from Level 2 to a Level 1 service provider unless you have access to know how many transactions your customer(s) process. Regardless of level, as a service provider wishing to provide services to customers that require PCI compliance, you should have been through the PCI assessment process before signing on a client and you should be PCI compliant. Any customers should be asking you for a copy of your Attestation Of Compliance (AOC) as part of their due diligence and vendor management processes.

      It’s not that companies cannot use a service provider that is not PCI compliant, it’s just a whole lot easier on them and you.

  2. April 12, 2010 at 8:03 AM

    (Disclaimer: I work for Veritape. We provide PCI compliant call recording systems to contact centres.)

    As an update to the above discussion, you may be interested to know that we have just launched Veritape CallGuard – a generic ‘bolt-on’ which brings full PCI DSS compliance to *any* existing call recording system. Customers keep their existing telephony, call recorder, CRM systems, payment processes and (critically) payment provider. _Nothing_ changes in a customer’s critical IT and telephony systems, and PCI compliance for call recording is achieved incredibly quickly.

    Veritape CallGuard also dramatically reduces the potential for internal data theft, since customers never tell their card details to a contact centre agent, and the agent never sees the card details on screen.

    For more information, please see our blog post announcing the launch, here: http://www.veritape.com/2010/04/veritape-callguard-brings-pci-dss-compliance-to-any-call-recording-system/


  3. February 26, 2010 at 9:42 AM


    With the recent changes in the PCI’s FAQ on call recording in contact centres, Veritape has written a white paper for companies seeking to understand the ramifications for them.

    The FAQ in question is: ‘Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?’

    Having clarified the wording in January, it looked as if the PCI SSC had finally established a clear definition of what constitutes PCI compliance in call recording. However, less than a month later, the wording was revised again, leaving companies who record telephone conversations and handle sensitive payment card data potentially confused.

    If you’re interested in reading a little more, please do so here http://www.veritape.com/2010/02/pci-dss-compliant-call-recording-in-call-centres-latest-changes-to-faq-by-pci-ssc-on-18-feb-2010, where you can also request the white paper titled: ‘PCI SSC update on call recording and call centres’.



  4. 5 GWJ
    February 23, 2010 at 5:41 PM

    None of those are going to be any use against an audio file.

    I’m looking at some voice to text services at the moment to see the viability of extracting card data from audio files. But the SSC believes there are easily available tools to do this. I haven’t found one that works reliably yet.


  5. 6 GWJ
    February 22, 2010 at 9:04 AM

    What tools?

    I have read many posts now about tools that can extract credit card data from a voice recording.

    Please proide links or names of products.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2010

%d bloggers like this: