What’s The Rush For New PCI Call Center Requirements?

Written by Walter Conway
February 2nd, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

When I read about the PCI Council’s revised guidance on audio recordings containing sensitive authentication data, my first reaction was that it was not such a big deal.

Upon further reflection, though, I am wondering if it might cause some retailers and their call centers more difficulty than I originally thought. There is at least one class of merchants that will be hit particularly hard by the PCI Council’s position. And I still can’t figure out why the PCI Council felt the need to act now.

(Editor’s Note: Some very interesting reader comments from the first PCI audio story put this topic into a different context. They are worth flipping through.)

The PCI Council originally issued its guidance on audio/voice recordings containing sensitive authentication data in December 2008. Sensitive authentication data here refers to the card validation codes (e.g., CVV2, CVC2, CAV2, CID). That guidance is no longer on the PCI Web site, but I kept a copy.

“Call centers may find themselves in the position of receiving cardholder data [that] includes sensitive authentication data and they may be unable to delete this sensitive data since individual elements cannot easily be deleted from an audio recording. To clarify, these call centers and all cardholder data are in scope (that’s the Council’s emphasis) for PCI DSS,” the Council said at the time. “However, if the storage of card validation codes and values meets the unique circumstances described in this response and these values are protected according to all applicable PCI DSS requirements, those card validation codes and values may be stored. If commercially reasonable technology exists to delete these data elements, then these elements should be deleted. If the individual data elements within an audio file can never be queried, then only the physical and logical protections defined in PCI DSS version 1.1 must be applied to these audio files.”

There are two points here. The first is that the recordings are in your PCI scope. Nothing new here. The second is that call centers could store the validation codes–in spite of Requirement 3.2 prohibiting it–so long as no “commercially reasonable technology exists” to delete them. That amounted to a free pass solely for call centers on this one PCI requirement.

In its January 22, 2010, FAQ, the PCI Council took away the call center free pass. The reason given was, “Audio recording solutions that prevent the storage or facilitate the deletion of [the] codes and other card data are commercially available from a number of vendors.” [Editor’s Note: We assume the PCI Council meant multiple vendors, given that zero and one are both numbers. Yes, we hate the phrase “a number of” for that reason.] Therefore, call centers are now subject to Requirement 3.2 just like everyone else.

What does this mean for retailers and other merchants with call centers? First, you will have to purge the offending data from your existing call records. In my experience, many call centers reuse recording media, so if they stop recording the codes on new calls, the problem goes away eventually (assuming rerecording securely removes the old data).


8 Comments | Read What’s The Rush For New PCI Call Center Requirements?

  1. Kemil Carbuccia Says:

    You hit the nail right in the head !

    PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision.

    This is a good read, enjoy !

  2. J- R Says:

    The issue in Financial services especially here in the UK is that the regulator here mandates that all call recordings have to kept for at least three years (you can argue for 7) and cannot be altered in any way so deleting the CV2 is prohibited.

    This “clarification” is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs.

    The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification.

  3. Geoff Miller Says:

    Another ridiculous decision where regulators don’t think critically enough about the unintended consequences of their decision. This is why regulation has completely gone off the deep end. Somebody has to make it stop.

    This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can’t purge all of our calls and we don’t have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it.

    Another regulatory body and decision that is killing private business. This bs makes me sick to my stomach.

  4. Mike Pruden Says:

    And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. Many companies have contracts with these types of industries. How do you deal with that type of issue? PCI Council needs to rethink this requirement until there is a widely available commercially viable solution.

  5. Cranston Snoard Says:

    Did the PCI SSC intentionally make a 2010 New Year’s resolution to step up efforts to demonstrate how out of touch and inane PCI DSS truly is?

  6. Walt Conway Says:

    Thanks for all the comments!

    @J-R: Sovereign law trumps PCI, so I think your UK regulator’s/government body’s position on recordings will override this PCI guidance. It will be interesting to see if there is some country-specific clarification although this should not be needed. You mentioned using a push-button or some other manual interrupt to avoid recording the security codes. As I noted in the column, I am not convinced this will work given how easy it is to forget/defeat it, but in your case it may be the only viable option.

    @Geoff and Mike: Good comments. I forgot about all the related services retailers use who will be affected.

    @Cranston: You and I may disagree about the value of PCI, but I take your point that this revised call center guidance may cast a negative light on the whole PCI Council and the Standard for some people. I know some of the Council staff, and they are intelligent, thoughtful, capable people. I am hoping they see that there are some unforeseen difficulties with this latest guidance, and that they consider revising it.

  7. Cranston Snoard Says:

    While specific individuals on the council may indeed be “thoughtful, intelligent, capable people” the council as an entity certainly does not display those qualifications.

    If this was a local, back-country, small village bylaw council, I’d be willing to give them a lot more leeway.

    But let’s get real here! These people are supposedly the “experts”, the cream-of-the-crop representing billion dollar card companies — and they come up with inane stuff like this?

    Don’t blame “some people” for seeing the Council in a negative — put the onus and responsibility where it belongs, on the Council for making such bad decisions. THEY are the ones causing the “negative light”, not those who call them on it.

  8. philippine call center Says:

    There might be some problem implementing those new guidelines in some call center companies. Thanks for providing this informative post.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.