Client discussions lately have been revolving around the new call center FAQ out on the PCI SSC Web site. Most of our clients are arguing with us about why pre-authorization data is ending up in scope? After all, when a customer places an order via the telephone, it is pre-authorization data. The answer is that it all comes down to timing.
Everyone understands that call centers routinely record calls to ensure service quality. For those call centers that provide order entry, those recordings have a high likelihood of recording information that the PCI SSC and the card brands consider sensitive such as the cardholder name, primary account number (PAN), expiration date and sometimes CVV/CVC/CID.
Here is where timing becomes important.
A customer calls into a call center to place an order or conduct any other transaction that requires a credit card. Until that transaction is completed, any cardholder data provided is considered pre-authorization data by the card brands and the PCI SSC and is therefore not covered by the PCI DSS.
Once the transaction is completed, you are now in the post authorization realm and all information is subject to the PCI DSS. Under requirement 3.2.2 of the PCI DSS, retention of the CVV/CVC/CID is not allowed. Even though the recording is prior to the completion of the transaction, once that transaction is complete, the information becomes in-scope for PCI compliance and therefore cannot be retained.
The double edged sword in all of this is that you cannot use a compensating control to meet any of the requirements in 3.2. As a result, your only alternative is to remediate the situation.
PCI Guru 
I’ve delivered PCI DSS compliance in a number of call centre environments where calls are recorded, with full PAN and SAD, where the calls are recorded ‘end to end’ and stored for FCA purposes. Obviously the line ‘This requirement does not supersede local or regional laws that may govern the retention of audio recordings.’ within the FAQ comes into play so things can get very messy bouncing between the two bodies, PCI and FCA.
So, do we ignore Req3.2 with the ‘Get out of Jail card’ of them being needed for regulatory purposes or can we apply compensating controls to cover Req3.2 in this scenario.? And if so what?
There is no such thing as a “Get Out Of Jail Free” card with PCI unless you can get one or all of the involved card brands to sign off on not protecting that information (like any of them would agree to that). Yes, you have a regulatory requirement, but you still obligated to protect the information.
So regardless, you will end up doing a compensating control worksheet to deal with requirement 3.2. That will likely involve retaining the information, but encrypting that data as well as severely restricting access to the data and monitoring that data in near real-time for any misuse.
I work in a call center, for a utility company. Calls are all recorded – for quality purposes, of course. So, based on my company’s training and my own research – they are allowed to record the calls, but, there should be some sort of mechanism that would not allow for the PII to be retained within that recording (i.e., card number, CVV, etc.). There should also be no way for the representative to write down that information via hard- or soft-copy means (paper/pen, email, notepad, etc.). What has brought me searching for any further clarification is there is a rule that has been instituted that states there is a “no cell phone” zone around the call center. I am presuming so no pictures or recordings could be taken of the numbers entered. However, there is no limitation on actual hard phones being utilized within that same area, whereby someone could then overhear the same PII data.
Just so we are all clear, if your call recording technology has the ability to remove or not record PII, under the PCI DSS you are required to implement that technology.
Overhearing PII is one of the risks in a call center environment. The only way to address that issue is with training.
I appreciate your quick response. At this time, it is my understanding that the technology is not available with “this release” – and potentially, if it becomes available it will be a “manual” process of stopping and starting the recording.
So, for my second portion of the convoluted question I had… Is there an actual requirement in PCI to ban cell phone usage within a particular distance of the call center area?
Thank you!
No. Cell phone bans are just what the best call centers do.