Evaluate

Do call recordings have PCI DSS requirements?

Call recordings that include payment information are subject to PCI DSS compliance. Expert Mike Chapple explains how to handle the call center data securely.

Mike Chapple, University of Notre Dame

My company records the phone calls where payments are made using credit cards, but I'm not sure how to handle that...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

data. What are the PCI DSS regulations for call recordings?

Call centers around the world use recording systems for quality assurance and training purposes. In the world of telephone credit card acceptance, it is inevitable that the call recordings from those systems will contain credit card information. Operations like the one described are commonplace and require careful security attention.

The Payment Card Industry Security Standards Council recognized this special need and, in 2011, issued a document entitled Protecting Telephone-Based Payment Card Data. This guidance document clarifies how PCI DSS applies to call centers and, in particular, call recording operations. The bottom line is that any recording systems that might capture payment card data must be considered in scope for PCI DSS and comply with all of the PCI DSS requirements.

There are special considerations, however, for call centers where recordings may capture sensitive authentication data, such as credit card security codes. Call recordings with this information may not be stored unless absolutely necessary and PCI DSS requires that merchants follow several steps. First, they must attempt to configure their system to prevent the recording of sensitive authentication data. If this is not possible, they must attempt to implement processes that delete this data after authorization.

If merchants are unable to prevent recording and are also unable to delete existing call recordings, they must document the reasons for this gap, conduct a risk assessment and implement controls that ensure it is not possible to query sensitive authentication data.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Test your PCI DSS vocabulary knowledge with this quiz

Find out if PCI DSS regulates mobile payment security enough

Discover the effect of tokenization on PCI DSS compliance

This was last published in March 2016

Dig Deeper on PCI Data Security Standard

Mike Chapple asks:

How does your organization handle recorded call data?

Join the Discussion

Related Q&A from Mike Chapple

Stateful vs. stateless firewalls: Understanding the differences

Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading

Wired vs. wireless network security: Best practices

Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading

The difference between AES and DES encryption

Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading

SearchCloudSecurity

Prevent cloud account hijacking with 3 key strategies

The ability to identify the various methods of cloud account hijacking is key to prevention. Explore three ways to limit ...

Security for SaaS applications starts with collaboration

Following established best practices helps enterprises facilitate collaboration and communication through SaaS applications while...

An inside look at the CCSP cloud security cert

Get insights into the Certified Cloud Security Professional cert, cloud infrastructure and platform benefits and risks, and more ...

SearchNetworking

How to secure remote access for WFH employees

The global pandemic caused mayhem on network security environments. Enterprises need to bring rigor back to their systems and ...

What's involved in VPN maintenance and management?

Before an organization's VPN is up and running, IT teams must address four important aspects of VPN maintenance and management to...

The pros and cons of 5G networks

Enterprises are evaluating 5G and its effect on their operations. Before they can start reaping the benefits from the standard, ...

SearchCIO

Enterprise architect job still requires IT in critical role

Jeanne Ross offers advice to existing and aspiring enterprise architects and discusses the latest trends as she reflects on 26 ...

Holy Grail still elusive in enterprise architecture strategy

MIT's Jeanne Ross discusses why enterprise architecture projects succeed and fail and what companies can do to better align ...

Ensuring your cybersecurity teams are helping the business

Business leaders need to review how they're handling cybersecurity oversight. Are leaders asking the right questions and ...

SearchEnterpriseDesktop

Evaluate if Chromebooks are secure enough for business use

Chromebooks are cost-effective endpoints that strip away desktop features for a simple desktop experience. Admins should evaluate...

Set up Windows Remote Desktop on a Mac device

Organizations that need to enable remote workers on Mac devices should consider allowing them to remotely access Windows desktops...

Microsoft Endpoint Manager gets better Mac, iPad management

Microsoft Endpoint Manager will eventually have new tools for securing and managing Macs, iPads and virtual endpoints. A more ...

SearchCloudComputing

The cloud shared responsibility model for IaaS, PaaS and SaaS

The shared responsibility model defines cloud security, but it changes for IaaS, PaaS and SaaS. Get to know the ins and outs of ...

Microsoft's Azure Arc reaches GA milestone

Microsoft has delivered a key component of Azure Arc -- the ability to manage Windows and Linux-based virtual and physical ...

Top 6 complexity challenges of operating a cloud at scale

It's not unusual for enterprises to scale their applications to meet demand, but they need to be aware of the associated cloud ...

ComputerWeekly.com

SSE Enterprise Telecoms makes further investment in UK business connectivity, 5G

UK telco unbundles further 259 BT exchanges by the end of 2021 to significantly grow network, bringing total unbundled exchanges ...

Forensic expert questions US claims that Julian Assange conspired to crack military password

Forensic computer expert Patrick Eller told the Old Bailey that US allegations that WikiLeaks founder Julian Assange attempted to...

Government remains in orbit to develop UK sat nav

Despite experts’ doubts, government confirms it will continue to look at a wider range of options for a sovereign satellite ...

Join the conversation

4 comments

Send me notifications when other members comment.

Oldest

[-]

searchsecurity - 14 Mar 2016 5:47 AM

How does your organization handle recorded call data?

ncberns - 14 Mar 2016 11:55 AM

Since many of our workers are freelancers who often work through another company, we have historically done very little with call data. This might be a wake-up call for us since we do handle some (limited) financial transactions. Far more often we have to turn verbal agreements into written contracts. We've always relied on our freelancers and vendors to formalize those terms. As we grow – maybe specifically so we can grow – we may need to develop a system to handle all that call data.

Kevin Beaver - 15 Mar 2016 12:34 PM

This is an interesting issue that can also apply to healthcare (HIPAA) as well as law enforcement agencies that use body cameras. Challenging era we're entering into with all of this information!

abuell - 15 Mar 2016 2:58 PM

We have audio recordings, but not containing credit card data. We do have audio containing protected health information though, so we have to store the audio and control access to it according to HIPAA policies.

5 PCI DSS best practices to improve compliance

Payment card industry issues data security standard update

How does tokenization technology affect PCI DSS compliance?

PCI security council publishes penetration testing guide

Please create a username to comment.