StorefrontBacktalk

New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed

Written by Evan Schuman

January 28th, 2010

Last week, PCI changed its policy on audio recordings. It now instructs retailers to treat a digital audio capture exactly the same as if it was written. This means that all of those call centers asking for credit card details over the phone must dispose of those recordings, or at least the parts that store the prohibited data, immediately.

The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won’t say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.)

The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details. Call centers can erase their own recordings as often as they want, but that won’t impact consumer recordings. Sound-proof cubicle dividers may be expensive, but they could help protect sensitive data.

Let’s look at what PCI actually did. “It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization, even if encrypted,” the new FAQ says. “It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3, etc.) for storing CAV2, CVC-2, CVV-2 or CID codes after authorization, as card data can easily be extracted using freely available software.”

The council made an exception that will impact an extremely small number of retailers, possibly even zero. It said that analog recordings—cassette tape or reel-to-reel systems—are exempt from this rule and can be used to retain sensitive card data post-authorization “as these recordings cannot be data mined easily. However, the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.”

Cameron Ross, managing director at Veritape, a company that specializes in audio captures, said that the use of analog today—especially in retail—is extremely rare.

“Practically nobody uses cassette tape these days, in bulk. There are some small uses of it when a company just wants to run ‘spot checks’ against Agent behavior and they plug in a manually operated cassette recorder to the Agent’s phone,” Ross said. “However, this is ineffective as a monitoring tool, as the Agent’s demeanor on the phone changes markedly. Unsurprisingly, they tend to be on their best behavior and stick to the scripts exactly. So, in practice, cassette tapes are not used.”

The PCI ruling that such data cannot be retained can be accomplished three different ways: not recording such calls; transferring the customer to another system for the card data to be shared; and splitting the recording into sensitive and not-so-sensitive portions.

Ironically, in the early days of the Web, call centers taking card information were originally pushed as a secure alternative to consumers who were fearful about typing their data into an anonymous Web site.

Posted in IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud, Software

10 Comments | Read New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed

Walt Conway Says:
January 28th, 2010 at 7:47 pm
Call center recordings have been in scope for PCI for at least a year or two. The previous guidance from the PCI Council stated that if the data were digital, they had to be protected according to PCI DSS. If your recordings included the security codes (CVV2, CVC2, etc.) you got a kind of free pass so long as the recordings were protected and weren’t searchable. What changed with the January 22 revision to the FAQ (as you point out) is you can no longer store the security codes – ever – and if you store them digitally you have to scrub them out. All the Council said was that call centers are now subject to the same requirement 3.2 as everybody else.

To me, the revised FAQ is an example of the Council’s efforts to reflect current attack vectors and available technology. I can’t say I’ve ever seen a credible account of a data breach resulting from call center recordings. I’ve heard anecdotal, second-hand reports, but I classify them as urban myths. I guess the Council knows something I don’t. But I do know there are vendors with call recording apps that can interrupt the recording and not record sensitive data. My take is the Council is simply reflecting this fact and bringing call centers into line with the DSS.

Merchants with existing recordings will need to purge the CVV2/CVC2 data. In some cases, the recordings age off after a period, so it may not be a big issue or at least it can be a self-correcting one. I know one merchant who is looking at ceasing call recording until they can install an updated system. In the meantime, if you record the PANs, the PCI Council says you have to protect the recordings per PCI – nothing new there. What they added last Friday was that if you record the sensitive security codes you are going to have to stop, and then you need to find a reasonable way to purge them from your old recordings.
Dave CISA/M/SP Says:
January 29th, 2010 at 1:35 pm
This is scary and potentially quite expensive – implementation costs aside. This would seem to put merchants with verifcation values stored on digital audio in the position of storing prohibited data. Prohibited data retention enforcement fines can be much (many times) higher than PCI DSS non-compliance fines.

This one has the potential to be very “disruptive”
Joe Says:
February 2nd, 2010 at 11:40 am
So how does this work with Regulation E in call centers, where the call is required to be recorded and archived for 2 years when a caller is agreeing to use of a debit card?
Steve French Says:
February 2nd, 2010 at 12:07 pm
For a company to purge old recordings may well breach FSA compliance relating to tampering with recordings. Also, with call centres blanket recording 10,000+ calls per day with an original storage requirement of 3 years, (now 6 months), the process of even finding the calls with the sensitive data boggle the mind. I don’t know of any process capable of searching the millions of encrypted compressed digital audio files for calls that contain sensitive data, and then copy the recording anew without the sensitive data to maintain compliance with FSA and the companies own recording keeping needs. It seems PCI have made the ruling without considering its members.
Walt Conway Says:
February 2nd, 2010 at 12:25 pm
@Joe,
My guess is Reg E call centers will be issuing banks, so they may not be subject to PCI as such. Also, the Council’s guidance said only to remove the offending security codes – you can keep the rest and protect it per PCI.

@Steve,
I agree with your points. At least from my end, I don’t know what it will cost to purge the codes from existing records. But what I find interesting is your statement that there isn’t any process to search the records which flies in the face of the Council’s position that such applications existed. BTW, what are the “storage requirements of 3 years”? I know banks have to retain financial transaction history, but merchants?
Martin Says:
February 18th, 2010 at 10:43 am
Go to the source, this is a misinterpretation of the original FAQ. You can use MP3 o WAV if you can’t query in any way the data. (Trustwave checked this in our call center).
Evan Schuman Says:
February 18th, 2010 at 10:49 am
That’s what the current clarification now says. But the phrase “in any way” is not one you want to have to defend if your QSA chooses to push it.
Jeff Man Says:
February 18th, 2010 at 5:48 pm
As a QSA, I’ve been telling call center clients to protect their recordings for at least five years. Now I have “proof” that recordings are in scope – and that sensitive authentication data simply should not be recorded.

@Martin – I’d check back with TrustWave in light of this latest clarification. MP3 and WAV are digital formats – so this clarification FAQ definitely applies.
Emma Jenkins Says:
June 30th, 2011 at 11:57 am
Just pointing out that there is a more up-to-date guidance document from the PCI SSC about call recording and compliance here: https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

Emma.
Emma Jenkins Says:
June 30th, 2011 at 11:59 am
Oh, and http://storefrontbacktalk.com/securityfraud/new-pci-call-center-recording-advice-make-sad-go-away/ is the great article about it :-)

Emma.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.