Veritape Blog

Confirmation that storing credit card data in recorded telephone calls is forbidden

The Payment Card Industry Security Standards Council (PCI SSC) has formally clarified that storing sensitive credit card data in digital call recordings is forbidden

(Please note, there is now an updated blog posting on this topic - read it here).

In an update to their ‘frequently asked questions’ document on call recording, the PCI SSC has simplified its wording, making it clear that only analogue recordings are allowed to store the 3- or 4-digit security codes from credit cards. Calls which are recorded digitally (the overwhelming majority of all call recording) cannot contain the data, known as CVC2 or CVV2 codes, even if the recording is encrypted.

Cameron Ross, Managing Director of Veritape, says “This is a sensible move by the PCI Security Standards Council. For the past 2 years, the market has seen real confusion, with QSA companies interpreting the SSC guidelines in different ways. Finally, the call centre industry has a clear message: don’t store credit card information in recorded audio. The statement by the SSC is a result of joint industry efforts to clarify this area. It shows how PCI member companies like Participating Organisations can have a real voice in the way credit card security is improved for banks and customers alike. The PCI SSC is to be commended for their work in simplifying this area. They’ve also recognised that there are a number of businesses which can help to eliminate card data from recorded telephone calls, which means all call centres can put a plan in place to improve the security of recorded telephone calls.”

This is the PCI SSC’s full statement:

This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

t is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization; as card data can easily be extracted using freely available software.

On an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an analog format after authorization is allowed; as these recordings cannot be data mined easily. However the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.

Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors. All other recordings containing cardholder data captured by call centers must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4.