Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do call recordings have PCI DSS requirements?

Call recordings that include payment information are subject to PCI DSS compliance. Expert Mike Chapple explains how to handle the call center data securely.

My company records the phone calls where payments are made using credit cards, but I'm not sure how to handle that...

data. What are the PCI DSS regulations for call recordings?

Call centers around the world use recording systems for quality assurance and training purposes. In the world of telephone credit card acceptance, it is inevitable that the call recordings from those systems will contain credit card information. Operations like the one described are commonplace and require careful security attention.

The Payment Card Industry Security Standards Council recognized this special need and, in 2011, issued a document entitled Protecting Telephone-Based Payment Card Data. This guidance document clarifies how PCI DSS applies to call centers and, in particular, call recording operations. The bottom line is that any recording systems that might capture payment card data must be considered in scope for PCI DSS and comply with all of the PCI DSS requirements.

There are special considerations, however, for call centers where recordings may capture sensitive authentication data, such as credit card security codes. Call recordings with this information may not be stored unless absolutely necessary and PCI DSS requires that merchants follow several steps. First, they must attempt to configure their system to prevent the recording of sensitive authentication data. If this is not possible, they must attempt to implement processes that delete this data after authorization.

If merchants are unable to prevent recording and are also unable to delete existing call recordings, they must document the reasons for this gap, conduct a risk assessment and implement controls that ensure it is not possible to query sensitive authentication data.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Test your PCI DSS vocabulary knowledge with this quiz

Find out if PCI DSS regulates mobile payment security enough

Discover the effect of tokenization on PCI DSS compliance

This was last published in March 2016

Dig Deeper on PCI Data Security Standard

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization handle recorded call data?
Since many of our workers are freelancers who often work through another company, we have historically done very little with call data. This might be a wake-up call for us since we do handle some (limited) financial transactions. Far more often we have to turn verbal agreements into written contracts. We've always relied on our freelancers and vendors to formalize those terms. As we grow – maybe specifically so we can grow – we may need to develop a system to handle all that call data.
This is an interesting issue that can also apply to healthcare (HIPAA) as well as law enforcement agencies that use body cameras. Challenging era we're entering into with all of this information!
We have audio recordings, but not containing credit card data. We do have audio containing protected health information though, so we have to store the audio and control access to it according to HIPAA policies.