What’s The Rush For New PCI Call Center Requirements?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

When I read about the PCI Council’s revised guidance on audio recordings containing sensitive authentication data, my first reaction was that it was not such a big deal.

Upon further reflection, though, I am wondering if it might cause some retailers and their call centers more difficulty than I originally thought. There is at least one class of merchants that will be hit particularly hard by the PCI Council’s position. And I still can’t figure out why the PCI Council felt the need to act now.

(Editor's Note: Some very interesting reader comments from the first PCI audio story put this topic into a different context. They are worth flipping through.)

The PCI Council originally issued its guidance on audio/voice recordings containing sensitive authentication data in December 2008. Sensitive authentication data here refers to the card validation codes (e.g., CVV2, CVC2, CAV2, CID). That guidance is no longer on the PCI Web site, but I kept a copy.

“Call centers may find themselves in the position of receiving cardholder data [that] includes sensitive authentication data and they may be unable to delete this sensitive data since individual elements cannot easily be deleted from an audio recording. To clarify, these call centers and all cardholder data are in scope (that's the Council’s emphasis) for PCI DSS," the Council said at the time. "However, if the storage of card validation codes and values meets the unique circumstances described in this response and these values are protected according to all applicable PCI DSS requirements, those card validation codes and values may be stored. If commercially reasonable technology exists to delete these data elements, then these elements should be deleted. If the individual data elements within an audio file can never be queried, then only the physical and logical protections defined in PCI DSS version 1.1 must be applied to these audio files.”

There are two points here. The first is that the recordings are in your PCI scope. Nothing new here. The second is that call centers could store the validation codes--in spite of Requirement 3.2 prohibiting it--so long as no “commercially reasonable technology exists” to delete them. That amounted to a free pass solely for call centers on this one PCI requirement.

In its January 22, 2010, FAQ, the PCI Council took away the call center free pass. The reason given was, “Audio recording solutions that prevent the storage or facilitate the deletion of [the] codes and other card data are commercially available from a number of vendors.” [Editor's Note: We assume the PCI Council meant multiple vendors, given that zero and one are both numbers. Yes, we hate the phrase "a number of" for that reason.] Therefore, call centers are now subject to Requirement 3.2 just like everyone else.

What does this mean for retailers and other merchants with call centers? First, you will have to purge the offending data from your existing call records. In my experience, many call centers reuse recording media, so if they stop recording the codes on new calls, the problem goes away eventually (assuming rerecording securely removes the old data). The PCI Council did not set a time when merchants need to be compliant, but it certainly won’t be any longer than your next ROC or SAQ. If it takes you longer than that to work through all of your old recordings, you will need to go through them and purge the codes. Not all call centers recycle their recordings. I know of one merchant with several years of recordings, so I think all they can do is purge the lot. I have been after them to do this anyway, so this new FAQ should make them move.

The second implication is that you need to reconfigure your call center application to stop recording the security codes. This point is where I start to have some problems. If your application can’t do this, you need to upgrade or replace it with one that automatically interrupts recording when, for example, the payment screen is displayed. And forget about using manual interrupts, at least if I’m your QSA. In practice, they can be too easily missed, forgotten or ignored.

Large retailers will make a business decision and budget for the investment. But what about smaller merchants, charities and universities with call centers? Charities and schools use volunteers. Calls are routinely recorded for training and to avoid chargebacks due to transcription errors. But these nonprofits don’t have the business case (i.e., profit) to upgrade their recording systems. They will have to stop recording calls entirely, possibly increasing errors and chargebacks.

The PCI Council is right to clarify guidance and rules as new technologies become widely available. But the assumption that every merchant can afford the technology or that even every merchant can change their IT purchase plans on short notice seems a little unfair. I hope in the future that the PCI Council can take into account the wide range of payment card merchants before it acts.

The Council gave retailers an inordinate amount of time (in my opinion) to upgrade WEP-protected wireless networks even though these networks transmit the entire mag stripe and are an established attack vector. I don’t understand the sudden need to protect security codes in call centers that are not yet--as far as I can tell--a common attack vector.

If you have a call center, do you agree or disagree with me? Can you easily implement the new guidelines in your call center, or will it be a problem? Either way, I’d like to hear your thoughts. Leave a comment or E-mail me at [email protected].