Call Centres & Call Recording

In January 2010 the Security Council issued an FAQ article to directly discuss call recording and PCI DSS. In this article it asserted that "if data can be queried" then the call recorder was in scope for assessment, and storing the CAV2, CVC2, CVV2 or CIM codes after authorisation would be a direct breach of the standard.

The FAQ went on to state that if the recordings could not be "data mined" then storage of the CAV2, CVC2, CVV2 or CID codes after authorisation may be permissible as long as the appropriate validation had been performed.

The terms used in this FAQ provide some clarity by advising that storing security codes in a call recorder could result in them being a direct breach of a requirement 3.2.2. However, it does go on to use the moderately ambiguous phrase of "data mining" to determine whether card verification code storage would be permissible.

To find out more about how Nettitude can help you with your Compliance requirements, please complete our contact form, and a Consultant will respond to your enquiry.

Nettitude's recommendation is that in most instances, clients should attempt to stop recording at the point of when card details are provided. Technologies such as pause and resume can enable an organisation to remove the call recording infrastructure from scope of assessment. If an organisation's call recording solution does not support pause and resume, Nettitude recommends working with a QSA to determine whether the Call Recorder can be data mined. This will vary from solution to solution and implementation to implementation.