New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed

Written by Evan Schuman
January 28th, 2010

Last week, PCI changed its policy on audio recordings. It now instructs retailers to treat a digital audio capture exactly the same as if it was written. This means that all of those call centers asking for credit card details over the phone must dispose of those recordings, or at least the parts that store the prohibited data, immediately.

The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won’t say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.)

The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details. Call centers can erase their own recordings as often as they want, but that won’t impact consumer recordings. Sound-proof cubicle dividers may be expensive, but they could help protect sensitive data.

Let’s look at what PCI actually did. “It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization, even if encrypted,” the new FAQ says. “It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3, etc.) for storing CAV2, CVC-2, CVV-2 or CID codes after authorization, as card data can easily be extracted using freely available software.”

The council made an exception that will impact an extremely small number of retailers, possibly even zero. It said that analog recordings—cassette tape or reel-to-reel systems—are exempt from this rule and can be used to retain sensitive card data post-authorization “as these recordings cannot be data mined easily. However, the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.”

Cameron Ross, managing director at Veritape, a company that specializes in audio captures, said that the use of analog today—especially in retail—is extremely rare.

“Practically nobody uses cassette tape these days, in bulk. There are some small uses of it when a company just wants to run ‘spot checks’ against Agent behavior and they plug in a manually operated cassette recorder to the Agent’s phone,” Ross said. “However, this is ineffective as a monitoring tool, as the Agent’s demeanor on the phone changes markedly. Unsurprisingly, they tend to be on their best behavior and stick to the scripts exactly. So, in practice, cassette tapes are not used.”

The PCI ruling that such data cannot be retained can be accomplished three different ways: not recording such calls; transferring the customer to another system for the card data to be shared; and splitting the recording into sensitive and not-so-sensitive portions.

Ironically, in the early days of the Web, call centers taking card information were originally pushed as a secure alternative to consumers who were fearful about typing their data into an anonymous Web site.


10 Comments | Read New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed

  1. Walt Conway Says:

    Call center recordings have been in scope for PCI for at least a year or two. The previous guidance from the PCI Council stated that if the data were digital, they had to be protected according to PCI DSS. If your recordings included the security codes (CVV2, CVC2, etc.) you got a kind of free pass so long as the recordings were protected and weren’t searchable. What changed with the January 22 revision to the FAQ (as you point out) is you can no longer store the security codes – ever – and if you store them digitally you have to scrub them out. All the Council said was that call centers are now subject to the same requirement 3.2 as everybody else.

    To me, the revised FAQ is an example of the Council’s efforts to reflect current attack vectors and available technology. I can’t say I’ve ever seen a credible account of a data breach resulting from call center recordings. I’ve heard anecdotal, second-hand reports, but I classify them as urban myths. I guess the Council knows something I don’t. But I do know there are vendors with call recording apps that can interrupt the recording and not record sensitive data. My take is the Council is simply reflecting this fact and bringing call centers into line with the DSS.

    Merchants with existing recordings will need to purge the CVV2/CVC2 data. In some cases, the recordings age off after a period, so it may not be a big issue or at least it can be a self-correcting one. I know one merchant who is looking at ceasing call recording until they can install an updated system. In the meantime, if you record the PANs, the PCI Council says you have to protect the recordings per PCI – nothing new there. What they added last Friday was that if you record the sensitive security codes you are going to have to stop, and then you need to find a reasonable way to purge them from your old recordings.

  2. Dave CISA/M/SP Says:

    This is scary and potentially quite expensive – implementation costs aside. This would seem to put merchants with verifcation values stored on digital audio in the position of storing prohibited data. Prohibited data retention enforcement fines can be much (many times) higher than PCI DSS non-compliance fines.

    This one has the potential to be very “disruptive”

  3. Joe Says:

    So how does this work with Regulation E in call centers, where the call is required to be recorded and archived for 2 years when a caller is agreeing to use of a debit card?

  4. Steve French Says:

    For a company to purge old recordings may well breach FSA compliance relating to tampering with recordings. Also, with call centres blanket recording 10,000+ calls per day with an original storage requirement of 3 years, (now 6 months), the process of even finding the calls with the sensitive data boggle the mind. I don’t know of any process capable of searching the millions of encrypted compressed digital audio files for calls that contain sensitive data, and then copy the recording anew without the sensitive data to maintain compliance with FSA and the companies own recording keeping needs. It seems PCI have made the ruling without considering its members.

  5. Walt Conway Says:

    My guess is Reg E call centers will be issuing banks, so they may not be subject to PCI as such. Also, the Council’s guidance said only to remove the offending security codes – you can keep the rest and protect it per PCI.

    I agree with your points. At least from my end, I don’t know what it will cost to purge the codes from existing records. But what I find interesting is your statement that there isn’t any process to search the records which flies in the face of the Council’s position that such applications existed. BTW, what are the “storage requirements of 3 years”? I know banks have to retain financial transaction history, but merchants?

  6. Martin Says:

    Go to the source, this is a misinterpretation of the original FAQ. You can use MP3 o WAV if you can’t query in any way the data. (Trustwave checked this in our call center).

  7. Evan Schuman Says:

    That’s what the current clarification now says. But the phrase “in any way” is not one you want to have to defend if your QSA chooses to push it.

  8. Jeff Man Says:

    As a QSA, I’ve been telling call center clients to protect their recordings for at least five years. Now I have “proof” that recordings are in scope – and that sensitive authentication data simply should not be recorded.

    @Martin – I’d check back with TrustWave in light of this latest clarification. MP3 and WAV are digital formats – so this clarification FAQ definitely applies.

  9. Emma Jenkins Says:

    Just pointing out that there is a more up-to-date guidance document from the PCI SSC about call recording and compliance here:


  10. Emma Jenkins Says:

    Oh, and is the great article about it :-)



StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.