What’s The Rush For New PCI Call Center Requirements?
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
When I read about the PCI Council’s revised guidance on audio recordings containing sensitive authentication data, my first reaction was that it was not such a big deal.
Upon further reflection, though, I am wondering if it might cause some retailers and their call centers more difficulty than I originally thought. There is at least one class of merchants that will be hit particularly hard by the PCI Council’s position. And I still can’t figure out why the PCI Council felt the need to act now.
(Editor’s Note: Some very interesting reader comments from the first PCI audio story put this topic into a different context. They are worth flipping through.)
The PCI Council originally issued its guidance on audio/voice recordings containing sensitive authentication data in December 2008. Sensitive authentication data here refers to the card validation codes (e.g., CVV2, CVC2, CAV2, CID). That guidance is no longer on the PCI Web site, but I kept a copy.
“Call centers may find themselves in the position of receiving cardholder data [that] includes sensitive authentication data and they may be unable to delete this sensitive data since individual elements cannot easily be deleted from an audio recording. To clarify, these call centers and all cardholder data are in scope (that’s the Council’s emphasis) for PCI DSS,” the Council said at the time. “However, if the storage of card validation codes and values meets the unique circumstances described in this response and these values are protected according to all applicable PCI DSS requirements, those card validation codes and values may be stored. If commercially reasonable technology exists to delete these data elements, then these elements should be deleted. If the individual data elements within an audio file can never be queried, then only the physical and logical protections defined in PCI DSS version 1.1 must be applied to these audio files.”
There are two points here. The first is that the recordings are in your PCI scope. Nothing new here. The second is that call centers could store the validation codes–in spite of Requirement 3.2 prohibiting it–so long as no “commercially reasonable technology exists” to delete them. That amounted to a free pass solely for call centers on this one PCI requirement.
In its January 22, 2010, FAQ, the PCI Council took away the call center free pass. The reason given was, “Audio recording solutions that prevent the storage or facilitate the deletion of [the] codes and other card data are commercially available from a number of vendors.” [Editor’s Note: We assume the PCI Council meant multiple vendors, given that zero and one are both numbers. Yes, we hate the phrase “a number of” for that reason.] Therefore, call centers are now subject to Requirement 3.2 just like everyone else.
What does this mean for retailers and other merchants with call centers? First, you will have to purge the offending data from your existing call records. In my experience, many call centers reuse recording media, so if they stop recording the codes on new calls, the problem goes away eventually (assuming rerecording securely removes the old data).
-Marc
February 3rd, 2010 at 7:59 pm
You hit the nail right in the head !
PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision.
This is a good read, enjoy !
February 4th, 2010 at 6:35 am
The issue in Financial services especially here in the UK is that the regulator here mandates that all call recordings have to kept for at least three years (you can argue for 7) and cannot be altered in any way so deleting the CV2 is prohibited.
This “clarification” is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs.
The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification.
February 4th, 2010 at 11:25 am
Another ridiculous decision where regulators don’t think critically enough about the unintended consequences of their decision. This is why regulation has completely gone off the deep end. Somebody has to make it stop.
This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can’t purge all of our calls and we don’t have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it.
Another regulatory body and decision that is killing private business. This bs makes me sick to my stomach.
February 4th, 2010 at 1:00 pm
And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. Many companies have contracts with these types of industries. How do you deal with that type of issue? PCI Council needs to rethink this requirement until there is a widely available commercially viable solution.
February 4th, 2010 at 6:50 pm
Did the PCI SSC intentionally make a 2010 New Year’s resolution to step up efforts to demonstrate how out of touch and inane PCI DSS truly is?
February 5th, 2010 at 4:21 pm
Thanks for all the comments!
@J-R: Sovereign law trumps PCI, so I think your UK regulator’s/government body’s position on recordings will override this PCI guidance. It will be interesting to see if there is some country-specific clarification although this should not be needed. You mentioned using a push-button or some other manual interrupt to avoid recording the security codes. As I noted in the column, I am not convinced this will work given how easy it is to forget/defeat it, but in your case it may be the only viable option.
@Geoff and Mike: Good comments. I forgot about all the related services retailers use who will be affected.
@Cranston: You and I may disagree about the value of PCI, but I take your point that this revised call center guidance may cast a negative light on the whole PCI Council and the Standard for some people. I know some of the Council staff, and they are intelligent, thoughtful, capable people. I am hoping they see that there are some unforeseen difficulties with this latest guidance, and that they consider revising it.
February 5th, 2010 at 6:20 pm
@walt
While specific individuals on the council may indeed be “thoughtful, intelligent, capable people” the council as an entity certainly does not display those qualifications.
If this was a local, back-country, small village bylaw council, I’d be willing to give them a lot more leeway.
But let’s get real here! These people are supposedly the “experts”, the cream-of-the-crop representing billion dollar card companies — and they come up with inane stuff like this?
Don’t blame “some people” for seeing the Council in a negative — put the onus and responsibility where it belongs, on the Council for making such bad decisions. THEY are the ones causing the “negative light”, not those who call them on it.
May 26th, 2010 at 11:15 pm
There might be some problem implementing those new guidelines in some call center companies. Thanks for providing this informative post.