New PCI Guidance Issued

Council Releases Steps for Protecting Voice-Recorded Card Data
New PCI Guidance Issued
New guidance issued by the PCI Security Standards Council is aimed at securing stored payment card data collected via call centers and over-the-phone payments. And, experts say, this directive could not come at a better time.

Often overlooked as a vulnerable payments channel, card data collected via telephone- or voice-based payments have become cybercriminals' newest targets, says Anton Chuvakin, author of "Security Warrior" and a recognized international expert on PCI security.

"Think about where you use your credit card: You can swipe the card at a machine, or you have e-commerce, where you can buy something online at Amazon, for instance," Chuvakin says. "But the third, which is also quite big and which most people don't think about, is telephone payments."

The PCI Council's "Protecting Telephone-Based Payment Card Data Information Supplement" provides actionable recommendations to merchants and service providers for securely processing payment card data over the telephone. Jeremy King, European regional director for the PCI Security Standards Council, says the new guidance addresses the same concerns posed by face-to-face and e-commerce payments. (Listen to this interview about the guidance: Inside New PCI Guidance.) "As with all transactions, we have a standard saying, 'If you don't need it, don't store it.' And, really, that applies into this sector as well," he says.

What make phone-based payments somewhat unique, and more vulnerable, King says, is the capture and storage of sensitive authentication data, such as the CVV or CVC code. "The voice recordings we classify as card-not-present transactions," King says. "That means, usually, in addition to the card number, the CVV code is given, and this is sensitive authentication data that does not need to be and should not be stored."

Most payments made to call centers or over the phone with service representatives are recorded, Chuvakin says. Yet until now, these payments fell outside the purview of the Payment Card Industry Data Security Standard. "The merchants have for a long time asked the PCI Council, 'How do we apply these standards to the audio?'" he says. "PCI has said, if there is no way to extract the card data from the audio, then it does not apply to PCI."

But the advent of digitally recorded files, which are quickly becoming more the norm than the exception to audio-tape call backups, can easily be searched. Chuvakin says hackers are targeting these digital files and, in fact, are finding it quite easy to extract card numbers and details. "Because so many recordings are electronic, and ask you to enter your card number on the keypad, the number being input or entered is recorded electronically, and that means you have cardholder data that can be searched, and it's a big mess," he says.

Chuvakin says the industry has hit a "boiling point." More merchants are using audio recordings, but are not encrypting or destroying the data. "It's usually protected less often than electronic cardholder information," he says.

What the Guidance Says

The guidance highlights areas for payment-card security and outlines best practices for cardholder risk mitigation.

Some of the guidance's key points:

  • Explanation of how the PCI-DSS applies to cardholder data stored in call recording systems;
  • Recommendations for assessing risk and applicable controls of call center operations;
  • Specific guidance addressing the storage of sensitive authentication data, which includes suggested methods for rendering data unavailable to meet PCI-DSS requirement 3.2;
  • Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.