This is page 2 of:
What’s The Rush For New PCI Call Center Requirements?
The PCI Council did not set a time when merchants need to be compliant, but it certainly won’t be any longer than your next ROC or SAQ. If it takes you longer than that to work through all of your old recordings, you will need to go through them and purge the codes. Not all call centers recycle their recordings. I know of one merchant with several years of recordings, so I think all they can do is purge the lot. I have been after them to do this anyway, so this new FAQ should make them move.
The second implication is that you need to reconfigure your call center application to stop recording the security codes. This point is where I start to have some problems. If your application can’t do this, you need to upgrade or replace it with one that automatically interrupts recording when, for example, the payment screen is displayed. And forget about using manual interrupts, at least if I’m your QSA. In practice, they can be too easily missed, forgotten or ignored.
Large retailers will make a business decision and budget for the investment. But what about smaller merchants, charities and universities with call centers? Charities and schools use volunteers. Calls are routinely recorded for training and to avoid chargebacks due to transcription errors. But these nonprofits don’t have the business case (i.e., profit) to upgrade their recording systems. They will have to stop recording calls entirely, possibly increasing errors and chargebacks.
The PCI Council is right to clarify guidance and rules as new technologies become widely available. But the assumption that every merchant can afford the technology or that even every merchant can change their IT purchase plans on short notice seems a little unfair. I hope in the future that the PCI Council can take into account the wide range of payment card merchants before it acts.
The Council gave retailers an inordinate amount of time (in my opinion) to upgrade WEP-protected wireless networks even though these networks transmit the entire mag stripe and are an established attack vector. I don’t understand the sudden need to protect security codes in call centers that are not yet–as far as I can tell–a common attack vector.
If you have a call center, do you agree or disagree with me? Can you easily implement the new guidelines in your call center, or will it be a problem? Either way, I’d like to hear your thoughts. Leave a comment or E-mail me at wconway@403labs.com.
-Marc
February 3rd, 2010 at 7:59 pm
You hit the nail right in the head !
PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision.
This is a good read, enjoy !
February 4th, 2010 at 6:35 am
The issue in Financial services especially here in the UK is that the regulator here mandates that all call recordings have to kept for at least three years (you can argue for 7) and cannot be altered in any way so deleting the CV2 is prohibited.
This “clarification” is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs.
The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification.
February 4th, 2010 at 11:25 am
Another ridiculous decision where regulators don’t think critically enough about the unintended consequences of their decision. This is why regulation has completely gone off the deep end. Somebody has to make it stop.
This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can’t purge all of our calls and we don’t have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it.
Another regulatory body and decision that is killing private business. This bs makes me sick to my stomach.
February 4th, 2010 at 1:00 pm
And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. Many companies have contracts with these types of industries. How do you deal with that type of issue? PCI Council needs to rethink this requirement until there is a widely available commercially viable solution.
February 4th, 2010 at 6:50 pm
Did the PCI SSC intentionally make a 2010 New Year’s resolution to step up efforts to demonstrate how out of touch and inane PCI DSS truly is?
February 5th, 2010 at 4:21 pm
Thanks for all the comments!
@J-R: Sovereign law trumps PCI, so I think your UK regulator’s/government body’s position on recordings will override this PCI guidance. It will be interesting to see if there is some country-specific clarification although this should not be needed. You mentioned using a push-button or some other manual interrupt to avoid recording the security codes. As I noted in the column, I am not convinced this will work given how easy it is to forget/defeat it, but in your case it may be the only viable option.
@Geoff and Mike: Good comments. I forgot about all the related services retailers use who will be affected.
@Cranston: You and I may disagree about the value of PCI, but I take your point that this revised call center guidance may cast a negative light on the whole PCI Council and the Standard for some people. I know some of the Council staff, and they are intelligent, thoughtful, capable people. I am hoping they see that there are some unforeseen difficulties with this latest guidance, and that they consider revising it.
February 5th, 2010 at 6:20 pm
@walt
While specific individuals on the council may indeed be “thoughtful, intelligent, capable people” the council as an entity certainly does not display those qualifications.
If this was a local, back-country, small village bylaw council, I’d be willing to give them a lot more leeway.
But let’s get real here! These people are supposedly the “experts”, the cream-of-the-crop representing billion dollar card companies — and they come up with inane stuff like this?
Don’t blame “some people” for seeing the Council in a negative — put the onus and responsibility where it belongs, on the Council for making such bad decisions. THEY are the ones causing the “negative light”, not those who call them on it.
May 26th, 2010 at 11:15 pm
There might be some problem implementing those new guidelines in some call center companies. Thanks for providing this informative post.