Veritape Blog

Tackling the contentious side of PCI DSS and call recording

Veritape’s Managing Director, Cameron Ross, recently spoke at Vendorcom’s conference on PCI and Payment Security. Vendorcom is a user group for businesses involved in the cards and payments industry and aims to provide clarification, information and support amidst the murky world of regulation and compliance in this field.

Cameron’s presentation was designed to generate discussion around the contentious issue of PCI DSS regulation and call recording, which is interpreted in various ways by different organisations. Do the rules on storing sensitive authentication data, such as CVC2 and CVV2 numbers, apply to audio recordings in the same way as other electronically-stored transaction data? Is data encryption a good enough solution, or does it fall short of complying with the regulations? And if this is the case, what hope is there for businesses who must record their calls, while avoiding the stiff penalties for non-compliance on the issue of data storage?

Detailed in the presentation were several somewhat cumbersome ’solutions’, which don’t in fact seem to solve the problem at all. From data encryption, which still stores the crucial piece of sensitive data and allows call centre staff to hear the information as part of their job, to PAN obscuration, which can’t easily pinpoint a short piece of data like CVC2, many attempts at complying fall short. More compliant solutions include not recording calls at all (!) and getting customers to type in their card details on a telephone keypad at the relevant point in the phone conversation. The only method for truly complying is to remove the sensitive card data from the recordings entirely.

The presentation ended with a lively Q and A, which underscored the different ways in which the regulations are being interpreted.