Whilst it’s common practice for businesses that take payments over the telephone to record calls, either for compliance, legislative or ‘training and security purposes’, the storage of the Sensitive Authentication Data or SAD (the 3 digit security code), is not permitted within the PCI DSS after payment authentication, even if encrypted.
Furthermore, to protect the long term storage of call recordings, the PCI DSS explicitly prohibits the retention of a card’s full fifteen or sixteen digit Principal Account Number (PAN) in anything but an unreadable format. That means SAD & PAN cannot be stored together.
These PCI DSS requirements may therefore conflict with an entity’s obligations under other national or industry specific legislation e.g. Financial Conduct Authority. The requirement therefore exists for entities to prevent SAD & PAN from being recorded or not record SAD and store PAN in an unreadable format, especially for more recent call recordings where card details remain valid.
Both solutions still bring other infrastructure components into the scope of PCI DSS e.g. data networks and connected infrastructure
There is a misconception amongst merchants and some technology resellers that deploying a pause resume solution makes that merchant PCI DSS compliant.
Unless you’ve deployed a ‘Type 1 ATTENDED’ or ‘Type 2 UNATTENDED’ PCI DSS Scope Reduction Solution, then the telephone & data networks, the contact centre agent and their desktop will all remain in the full scope of all 12 PCI DSS Requirements.
An automated pause resume solution may take the call recorder and the call recording storage out of scope, however, new guidelines to be released later this year by the PCI Standards Security Council will promote pause resume as a valid part of a risk reduction programme, but will state that manual pause resume will not prevent the call recorder (or the call recording storage) being included within the scope of PCI DSS.
Storing historical call recordings off-site (outside your environment) and deploying a process or technology solution that provides compliant search, access and retrieval will reduce PCI DSS scope
Having a clear understanding call recording retention policies across the entity as well as ongoing search, access and retrieval requirements is critical to building the business case when considering any call recording solution where payment card data is part of the telephone call handling process.
Making the wrong decision can be costly as well as frustratingly counter-productive within the context of a PCI DSS scope reduction strategy.
Stored call recordings: Key Features
- Businesses are not permitted to store PAN post authorisation
- Automated Pause and Resume is a Type3 PARTIAL PCI DSS Scope Reduction technology *
- Storing recordings in secure PCI DSS compliant data vaults reduces scope and risk
- Stored recordings can be cleansed to allow agents access
- Type 1 ATTENDED and Type 2 UNATTENDED PCI DSS Scope Reduction technologies prevent payment card data from entering your telephone environment