PCI Council Releases Supplemental Guidance for Protecting Telephone-Based Payment Card Data

If you handle credit card data, you fall within the scope of the Payment Card Industry’s Data Security Standard (PCI DSS). That’s the central message of a new supplemental guidance document the PCI Security Standards Council released today.

The Protecting Telephone-Based Payment Card Data Information Supplement provides actionable recommendations to merchants and service providers for securely processing payment card data over the telephone. It also offers advice for protecting cardholder data in recorded transactions.

The PCI standards apply to organizations with call center operations where credit card information processed over the phone can be recorded and stored, exposing cardholder data to potential risk. “The underlying goal is to protect the cardholder’s data throughout the transaction process,” explains Jeremy King, European director of the Security Standards Council.

The council developed the information supplement to assist merchants and service providers with meeting PCI DSS requirements to secure payment data captured within voice recordings. Its main message is simple: If you don’t need it, don’t store it, says King. And if you do need it, store it for the minimum amount of time possible and make it unreadable with some sort of truncation and encryption, he adds.

A product of industry collaboration and stakeholder feedback, the guidance expands on a PCI Council FAQ published in 2010. “We felt it was necessary to come out with a special guidance document for the call center,” King says.The guidance highlights the key areas that organizations with call center operations need to address to process payment cards securely and outlines how best to protect their businesses and customers from the risks of card data compromise. It includes the following:

• Explanation of how PCI DSS applies to cardholder data stored in call recording systems, with detailed tables that map types of data to specific PCI DSS requirements. 
  
• Recommendations for merchants when assessing risk and applicable controls of call center operations, with a quick reference flow chart that provides a step-by-step process for determining necessary controls to meet PCI DSS requirements for voice recordings.
• Specific guidance addressing storage of sensitive authentication data, including suggested methods for rendering data unavailable under query to meet PCI DSS requirement 3.2.
• Guidance on some of the key considerations faced by call centers when implementing PCI DSS requirements, including specific recommendations and best practices.

King acknowledges that the laws of individual countries regarding the processing of credit card data supersede the PCI Council’s standards, and that the PCI Standards Council is not an enforcement body. However, most credit card issuers now have their own penalties for companies that violate the PCI standards.

The heightened attention to call centers reflects changes in the industry and the tactics used by criminals, according to King. “Criminals are now targeting call centers because they know there will be cardholder data stored within their systems,” he says. “If a criminal [hacks into the system] and takes that data, the cost to the merchant is much more substantial that the cost to become PCI-compliant.”