Evaluate

Do call recordings have PCI DSS requirements?

Call recordings that include payment information are subject to PCI DSS compliance. Expert Mike Chapple explains how to handle the call center data securely.

Mike Chapple, University of Notre Dame

My company records the phone calls where payments are made using credit cards, but I'm not sure how to handle that...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

data. What are the PCI DSS regulations for call recordings?

Call centers around the world use recording systems for quality assurance and training purposes. In the world of telephone credit card acceptance, it is inevitable that the call recordings from those systems will contain credit card information. Operations like the one described are commonplace and require careful security attention.

The Payment Card Industry Security Standards Council recognized this special need and, in 2011, issued a document entitled Protecting Telephone-Based Payment Card Data. This guidance document clarifies how PCI DSS applies to call centers and, in particular, call recording operations. The bottom line is that any recording systems that might capture payment card data must be considered in scope for PCI DSS and comply with all of the PCI DSS requirements.

There are special considerations, however, for call centers where recordings may capture sensitive authentication data, such as credit card security codes. Call recordings with this information may not be stored unless absolutely necessary and PCI DSS requires that merchants follow several steps. First, they must attempt to configure their system to prevent the recording of sensitive authentication data. If this is not possible, they must attempt to implement processes that delete this data after authorization.

If merchants are unable to prevent recording and are also unable to delete existing call recordings, they must document the reasons for this gap, conduct a risk assessment and implement controls that ensure it is not possible to query sensitive authentication data.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Test your PCI DSS vocabulary knowledge with this quiz

Find out if PCI DSS regulates mobile payment security enough

Discover the effect of tokenization on PCI DSS compliance

This was last published in March 2016

Dig Deeper on PCI Data Security Standard

Mike Chapple asks:

How does your organization handle recorded call data?

Join the Discussion

Related Q&A from Mike Chapple

Wired vs. wireless network security: Best practices

Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading

The difference between AES and DES encryption

Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading

How to prevent DoS attacks in the enterprise

It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading

SearchCloudSecurity

Defining and evaluating SOC as a service

As cloud use increases, many enterprises outsource some security operations center functions. Evaluate if SOCaaS is the best ...

Get to know the elements of Secure Access Service Edge

Cloud services use cases continue to expand, but implementation challenges remain. Discover Secure Access Service Edge, or SASE, ...

Boost security with a multi-cloud workload placement process

IT must incorporate a multi-cloud workload placement process into its multi-cloud strategy in order to maintain or improve cloud ...

SearchNetworking

A deep dive into the differences between 5G and Wi-Fi 6

While the latest cellular and Wi-Fi technology generations -- 5G and Wi-Fi 6, respectively -- have been pitted against one ...

Maintaining network infrastructure in a pandemic and beyond

Network infrastructure that supports remote workers is essential today and will be far into the future. That includes VPN ...

DriveNets' disaggregated router tech wins innovation award

Networking startup DriveNets is bringing cloud principles to carrier networks with disaggregated router technology that could ...

SearchCIO

How IT can build an agile business partnership

Gene Kim, award-winning researcher, author and founder of IT Revolution, discusses why IT leaders need to involve their ...

Former Cisco CEO offers C-suite leadership tips in time of crisis

COVID-19 is forcing enterprises to make tough decisions. There is no one-size-fits-all roadmap, but those who've survived earlier...

COVID-19 radically refocuses CIO agendas in 4 key areas

As a result of the COVID-19 virus, CIOs must shift their priorities and now focus on the impact the pandemic has on the economy, ...

SearchEnterpriseDesktop

How to enable and troubleshoot fast startup in Windows 10

The fast startup feature on Windows desktops can add value, but IT must understand when it should and shouldn't enable this ...

4 negotiation tactics for success in a Microsoft software agreement

A Microsoft software agreement requires skill and knowledge. Use these four Microsoft negotiation tactics to get the best ...

3 Mac remote management software options for enterprise use

IT pros may be forced to manage remote macOS desktops, so they should understand the options they have for remote desktop ...

SearchCloudComputing

Explore the pros and cons of cloud computing

Familiarize yourself with the basics of computing in the cloud, how the market has changed over the years, and the advantages and...

How to protect and manage Azure Pipelines secrets with Key Vault

Follow along with this Azure Key Vault tutorial to securely manage passwords and other sensitive information in an Azure DevOps ...

7 Google Cloud database options to free up your IT team

Moving data to a cloud database is an effective way to optimize cost and performance for applications. Review seven of Google's ...

ComputerWeekly.com

What we can learn from Marriott’s new data breach embarrassment

Marriott International has egg on its face once again following a second data breach in as many years, but there are encouraging ...

Security, network services top enterprise challenges for deploying UCaaS, CCaaS

Research finds ongoing challenges in deploying unified-communications-as-a-service and contact-centre-as-a-service firms also ...

Coronavirus: NHSX working on contact tracing app

A contact tracing app to track the spread of infection is being developed, although specific technical details remain scarce

Join the conversation

4 comments

Send me notifications when other members comment.

Oldest

[-]

searchsecurity - 14 Mar 2016 5:47 AM

How does your organization handle recorded call data?

ncberns - 14 Mar 2016 11:55 AM

Since many of our workers are freelancers who often work through another company, we have historically done very little with call data. This might be a wake-up call for us since we do handle some (limited) financial transactions. Far more often we have to turn verbal agreements into written contracts. We've always relied on our freelancers and vendors to formalize those terms. As we grow – maybe specifically so we can grow – we may need to develop a system to handle all that call data.

Kevin Beaver - 15 Mar 2016 12:34 PM

This is an interesting issue that can also apply to healthcare (HIPAA) as well as law enforcement agencies that use body cameras. Challenging era we're entering into with all of this information!

abuell - 15 Mar 2016 2:58 PM

We have audio recordings, but not containing credit card data. We do have audio containing protected health information though, so we have to store the audio and control access to it according to HIPAA policies.

Roadmap to improve compliance: PCI DSS best practices

Payment card industry issues data security standard update

How does tokenization technology affect PCI DSS compliance?

PCI security council publishes penetration testing guide

Please create a username to comment.