New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed

Last week, PCI changed its policy on audio recordings. It now instructs retailers to treat a digital audio capture exactly the same as if it was written. This means that all of those call centers asking for credit card details over the phone must dispose of those recordings, or at least the parts that store the prohibited data, immediately.

The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won't say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.)

The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details. Call centers can erase their own recordings as often as they want, but that won't impact consumer recordings. Sound-proof cubicle dividers may be expensive, but they could help protect sensitive data.

Let's look at what PCI actually did. "It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization, even if encrypted," the new FAQ says. "It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3, etc.) for storing CAV2, CVC-2, CVV-2 or CID codes after authorization, as card data can easily be extracted using freely available software."

The council made an exception that will impact an extremely small number of retailers, possibly even zero. It said that analog recordings—cassette tape or reel-to-reel systems—are exempt from this rule and can be used to retain sensitive card data post-authorization "as these recordings cannot be data mined easily. However, the physical and logical protections defined in PCI DSS must still be applied to these analog call recording formats."

Cameron Ross, managing director at Veritape, a company that specializes in audio captures, said that the use of analog today—especially in retail—is extremely rare.

"Practically nobody uses cassette tape these days, in bulk. There are some small uses of it when a company just wants to run 'spot checks' against Agent behavior and they plug in a manually operated cassette recorder to the Agent's phone," Ross said. "However, this is ineffective as a monitoring tool, as the Agent's demeanor on the phone changes markedly. Unsurprisingly, they tend to be on their best behavior and stick to the scripts exactly. So, in practice, cassette tapes are not used."

The PCI ruling that such data cannot be retained can be accomplished three different ways: not recording such calls; transferring the customer to another system for the card data to be shared; and splitting the recording into sensitive and not-so-sensitive portions.

Ironically, in the early days of the Web, call centers taking card information were originally pushed as a secure alternative to consumers who were fearful about typing their data into an anonymous Web site.