PCI Council Changes Its Audio Recording Policy, Again

The PCI Council, in an attempt to show that it can be flexible and truly is listening to industry feedback, is now on the third version of its controversial policy on audio recordings since the beginning of the year (which is fairly impressive, given that it's only mid-February). On Wednesday (Feb. 17), the Council backed off some of its stricter requirements that all sensitive payment data on digital recordings must not be retained.

Saying that it was "a result of additional market feedback," the Council ruled that the sensitive payment date on the digital recordings could be retained if the retailer can prove that the data in question can't be queried. "The Council is now saying that call centers can keep this data—even if digital—so long as they protect it per PCI. That is big," said Walter Conway, a 403 Labs QSA who is also StorefrontBacktalk’s PCI columnist.

The original policy was strongly criticized by some retailers, who considered the new rules unworkable. (The reader comments on our first story on this issue and even more comments on our second story detail the concern specifics.)

The key change—it could be argued the only material change—is the addition of the phrase "if that data can be queried." The full sentence now reads: "It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings."

But how are retailers supposed to interpret "if that data can be queried"? Does it mean "can be easily" or "can be cost-effectively"? Or should it be interpreted to mean, "If someone wanted to spend $2 billion and had an army of audio and computer specialists working on their tapes for two months, could they access this information? And what if they had tools six months from now that do not exist today?"

By putting the onus on retailers to prove that a piece of information can't be accessed electronically, the Council may be neither advancing the cause of security nor keeping retailers happy.

Conway has his own scenarios. "What will they need to do to make sure their records 'cannot be data mined'? Will this mean encryption? Maybe. Will it mean keeping it offline? Possibly. Restricting access? Plan on it. Can you isolate them behind a firewall? Again, possibly. In any event, your call center needs to look at its particular situation both for PCI compliance and to keep your organization out of the headlines."

Conway added a more ominous thought: "While the FAQ change is good news for call centers, is it good news for cardholder data security in general? Will track data be next to get this more lenient treatment?"

Not so sure I agree that this is good news for call centers. But any hint that PCI is listening and is willing to make changes—even really tiny changes—as a result of that listening can't be bad.