New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed
Written by Evan Schuman at www.storefrontbacktalk.com
January 28th, 2010
Last week, PCI changed its policy on audio recordings. It now instructs retailers to treat a digital audio capture exactly the same as if it was written. This means that all of those call centers asking for credit card details over the phone must dispose of those recordings, or at least the parts that store the prohibited data, immediately.
The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won’t say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.)
The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details. Call centers can erase their own recordings as often as they want, but that won’t impact consumer recordings. Sound-proof cubicle dividers may be expensive, but they could help protect sensitive data.
Let’s look at what PCI actually did. “It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization, even if encrypted,” the new FAQ says. “It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3, etc.) for storing CAV2, CVC-2, CVV-2 or CID codes after authorization, as card data can easily be extracted using freely available software.”
The council made an exception that will impact an extremely small number of retailers, possibly even zero. It said that analog recordings—cassette tape or reel-to-reel systems—are exempt from this rule and can be used to retain sensitive card data post-authorization “as these recordings cannot be data mined easily. However, the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats.”
Cameron Ross, managing director at Veritape, a company that specializes in audio captures, said that the use of analog today—especially in retail—is extremely rare.
“Practically nobody uses cassette tape these days, in bulk. There are some small uses of it when a company just wants to run ’spot checks’ against Agent behavior and they plug in a manually operated cassette recorder to the Agent’s phone,” Ross said. “However, this is ineffective as a monitoring tool, as the Agent’s demeanor on the phone changes markedly. Unsurprisingly, they tend to be on their best behavior and stick to the scripts exactly. So, in practice, cassette tapes are not used.”
The PCI ruling that such data cannot be retained can be accomplished three different ways: not recording such calls; transferring the customer to another system for the card data to be shared; and splitting the recording into sensitive and not-so-sensitive portions.
Ironically, in the early days of the Web, call centers taking card information were originally pushed as a secure alternative to consumers who were fearful about typing their data into an anonymous Web site.
{ 14 comments… read them below or add one }
You really make it seem so easy with your presentation but I find this matter to be really something which I think I would never understand. It seems too complex and extremely broad for me. I am looking forward for your next post, I will try to get the hang of it!
Hi Max here, Really enjoy your website here at http://www.paytoprocess.com/pci-news/new-pci-phone-rules-a-number-spoken-is-just-as-risky-as-one-typed/ and I have went ahead and even linked the idea to it in the “sites we like” page of the website and so some viewers can see the idea too. Check it out at http://www.tinnitusmiraclej.com/sites-we-like you might find it enjoyable and I encourage you to have a look.
Amazing! This blog looks just like my old one! It’s on a completely different subject but it has pretty much the same layout and design. Superb choice of colors!
I’ve been browsing online more than 3 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. Personally, if all website owners and bloggers made good content as you did, the internet will be a lot more useful than ever before.
You could definitely see your enthusiasm in the work you write.The world hopes for even more passionate writers like you who aren’t afraid to say how they believe.Always go after your heart
Pretty nice post. I just stumbled upon your blog and wished to say that I’ve really enjoyed surfing around your blog posts. In any case I will be subscribing to your feed and I hope you write again soon!
Okay article. You have a knowledgable opinion on this matter and I will be subscribing to your RSS feed and hope you shall write frequently on similar matters. But I am would like to know what your article sources for the post are? Thanks a lot
This design is incredible! You most certainly know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Fantastic job. I really loved what you had to say, and more than that, how you presented it. Too cool!
Wonderful Write-up, Many thanks SEO Bristol
I definitely wanted to compose a word in order to appreciate you for all of the awesome solutions you are giving out here. My extensive internet lookup has finally been paid with wonderful details to talk about with my relatives. I would tell you that we site visitors actually are really endowed to exist in a notable site with many outstanding individuals with insightful strategies. I feel quite fortunate to have discovered the webpages and look forward to so many more enjoyable moments reading here. Thank you once again for a lot of things.
I think this is one of the most important information for me. And i am glad reading your article. But should remark on some general things, The website style is ideal, the articles is really nice : D. Good job, cheers
I think other website proprietors should take this internet site as an model, very clean and wonderful user genial design .
Only wanna input on few general things, The website pattern is perfect, the written content is very good : D.
It was interesting to read your post New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed.