9 Responses to “Call Center FAQ Changes – AGAIN”

  1. 1 Yavor
    April 5, 2013 at 9:15 AM

    Hey PCI Guru,

    We’re a cloud-based contact center looking to become PCI Compliant. I have the following quick questions for you:
    1. Do we need to fill SAQ D as a service provider, or SAQ C-VT as a virtual center?
    2. If we are currently not working with a client who requires PCI Compliancy, but are looking to attract such clients, do we need to comply with the Level 2 requirements that they insist on in advance?



    • April 5, 2013 at 10:32 AM

      You are a service provider, so you either do a full assessment and create a Report On Compliance (ROC) or fill out SAQ D. The other SAQs are only for merchants.

      Service providers such as yourself would have trouble determining whether in fact you have crossed the line from Level 2 to a Level 1 service provider unless you have access to know how many transactions your customer(s) process. Regardless of level, as a service provider wishing to provide services to customers that require PCI compliance, you should have been through the PCI assessment process before signing on a client and you should be PCI compliant. Any customers should be asking you for a copy of your Attestation Of Compliance (AOC) as part of their due diligence and vendor management processes.

      It’s not that companies cannot use a service provider that is not PCI compliant, it’s just a whole lot easier on them and you.

  2. April 12, 2010 at 8:03 AM

    (Disclaimer: I work for Veritape. We provide PCI compliant call recording systems to contact centres.)

    As an update to the above discussion, you may be interested to know that we have just launched Veritape CallGuard – a generic ‘bolt-on’ which brings full PCI DSS compliance to *any* existing call recording system. Customers keep their existing telephony, call recorder, CRM systems, payment processes and (critically) payment provider. _Nothing_ changes in a customer’s critical IT and telephony systems, and PCI compliance for call recording is achieved incredibly quickly.

    Veritape CallGuard also dramatically reduces the potential for internal data theft, since customers never tell their card details to a contact centre agent, and the agent never sees the card details on screen.

    For more information, please see our blog post announcing the launch, here: http://www.veritape.com/2010/04/veritape-callguard-brings-pci-dss-compliance-to-any-call-recording-system/


  3. February 26, 2010 at 9:42 AM


    With the recent changes in the PCI’s FAQ on call recording in contact centres, Veritape has written a white paper for companies seeking to understand the ramifications for them.

    The FAQ in question is: ‘Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?’

    Having clarified the wording in January, it looked as if the PCI SSC had finally established a clear definition of what constitutes PCI compliance in call recording. However, less than a month later, the wording was revised again, leaving companies who record telephone conversations and handle sensitive payment card data potentially confused.

    If you’re interested in reading a little more, please do so here http://www.veritape.com/2010/02/pci-dss-compliant-call-recording-in-call-centres-latest-changes-to-faq-by-pci-ssc-on-18-feb-2010, where you can also request the white paper titled: ‘PCI SSC update on call recording and call centres’.



  4. 5 GWJ
    February 23, 2010 at 5:41 PM

    None of those are going to be any use against an audio file.

    I’m looking at some voice to text services at the moment to see the viability of extracting card data from audio files. But the SSC believes there are easily available tools to do this. I haven’t found one that works reliably yet.


  5. 6 GWJ
    February 22, 2010 at 9:04 AM

    What tools?

    I have read many posts now about tools that can extract credit card data from a voice recording.

    Please proide links or names of products.


    • February 22, 2010 at 1:51 PM

      See this posting on the SPSP forum.


      • March 11, 2010 at 3:25 PM

        I did not see any tools specifically related to voice recordings unless you are suggesting that you need to run a recording through a voice-text engine first..

      • March 12, 2010 at 3:38 PM

        Sorry. I just assumed that everyone would just Google for audio search engines. That said, there are a bunch of them through the Internet as well as commercial solutions. Any of which can be used to search call recordings for credit card information. And that is the problem. There are all sorts of solutions available that can be used to search call recordings from call center systems which is why the PCI SSC changed their guidance on digital call center recordings.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2010
« Jan   Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: