Call Center Recordings – Version 3
- Thursday, February 18, 2010, 17:09
- Threat Research
Yesterday (Feb 17) the PCI Council re-revised their call center FAQ with more clarification on whether you may store digital recordings containing the security codes (CVV2, CVC2, etc.). Here is the text of the FAQ (link here). The first two paragraphs are the explanation that the Council heard the issues from their previous clarification (see here) just a couple of weeks ago. The next two paragraphs are unchanged:PCI SSC FAQ’s are designed to provide merchants, assessors, acquirers and other Council stakeholders with clear and timely guidance on PCI standards. They are a critical two way communication channel from which the PCI SSC draws valuable market feedback and insight, and is able to share this with the industry. On January 22 2010, as part of the online FAQ feedback and submission process, the regularreview of FAQ language, and inquiries from Participating Organizations the SSC sought to clarify its position on call center audio recordings.The updates to the FAQ language were intended to eliminate any inconsistencies in implementations of audio recordings in call center environments by providing a higher level of specificity in FAQ guidance. The Council’s position remains that if you can digitally query sensitive authentication data (SAD) contained within audio recordings - if SAD is easily accessible - then it must not be stored. As (continue reading...)
Hi,
With the recent changes in the PCI’s FAQ on call recording in contact centres, Veritape has written a white paper for companies seeking to understand the ramifications for them.
The FAQ in question is: ‘Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?’
Having clarified the wording in January, it looked as if the PCI SSC had finally established a clear definition of what constitutes PCI compliance in call recording. However, less than a month later, the wording was revised again, leaving companies who record telephone conversations and handle sensitive payment card data potentially confused.
If you’re interested in reading a little more, please do so here http://www.veritape.com/2010/02/pci-dss-compliant-call-recording-in-call-centres-latest-changes-to-faq-by-pci-ssc-on-18-feb-2010, where you can also request the white paper titled: ‘PCI SSC update on call recording and call centres’.
Thanks,
Emma
(Disclaimer: I work for Veritape. We provide PCI compliant call recording systems to contact centres.)
As an update to the above discussion, you may be interested to know that Veritape has just launched Veritape CallGuard – a generic ‘bolt-on’ which brings full PCI DSS compliance to *any* existing call recording system. Customers keep their existing telephony, call recorder, CRM systems, payment processes and (critically) payment provider. _Nothing_ changes in a customer’s critical IT and telephony systems, and PCI compliance for call recording is achieved incredibly quickly.
Veritape CallGuard also dramatically reduces the potential for internal data theft, since customers never tell their card details to a contact centre agent, and the agent never sees the card details on screen.
For more information, please see our blog post announcing the launch, here: http://www.veritape.com/2010/04/veritape-callguard-brings-pci-dss-compliance-to-any-call-recording-system/
Thanks,
Emma.