FAQ #1210 Diff
Are audio/voice recordings permitted to contain sensitive authentication data?
Earlier Version
Later Version
Removed
Added
PCI SSC FAQ?s are designed to provide merchants, assessors, acquirers and other Council stakeholdersDSS Requirement 3.2 prohibits storage of sensitive authentication data (SAD), including card validation codes and values, after authorization even if the data is encrypted. Storage of card validation codes or values (referred to as CAV2, CVC2, CVV2 or CID) in any form of digital audio recording?for example, .wav or .mp3 files?after authorization is therefore a violation of this requirement.
Every possible effort should be made to eliminate sensitive authentication data from the entity?s environment. Where technology exists to prevent recording of these data elements, such technology should be enabled. If it is not possible to prevent SAD from being recorded, the data should be securely deleted immediately upon authorization of the transaction. If secure deletion is not possible due to a legitimate technical or business constraint, compensating controls should be implemented to mitigate the risk associated withclear and timely guidance onstoring the data. At a minimum, this should include performing a comprehensive risk assessment at least annually and upon significant changes to the environment, securing the SAD in accordance with applicable PCI standards. They are a critical two way communication channel from which theDSS requirements, and implementing controls to ensure that SAD cannot be accessed and call recordings cannot be queried. The detailed justification, risk-assessment results, and documentation of controls in place to ensure SAD cannot be accessed and call recordings cannot be queried should be retained and validated as part of the entity?s annual PCI SSC draws valuable market feedback and insight, and is able to share thisDSS assessment. All the resulting documentation should also be provided to and discussed with the industry. On January 22 2010,entity?s acquiring bank and/or payment brands as part of the online FAQ feedback and submission process, the regular review of FAQ language, and inquiries from Participating Organizations the SSC sought to clarify its position on call centerapplicable to confirm whether the entity has met their PCI DSS compliance obligations.
PCI DSS requirements do not supersede local or regional laws that may govern the retention of audio recordings.
Theupdates to the FAQ language were intended to eliminate any inconsistencies in implementations of audio recordings in call center environments by providing a higher level of specificity in FAQPCI SSC Information Supplement: Protecting Telephone Based Payment Card Data provides additional guidance. The Council?s position remains that if you can digitally query sensitive authentication data (SAD) contained within audio recordings - if SAD is easily accessible - then it must not be stored. As a result of additional market feedback, on February 17, 2010 the SSC modified the new language to further clarify its position on audio recordings.
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried ; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.
This requirement does not supersede local or regional laws that may govern the retention of audio recordings.
Every possible effort should be made to eliminate sensitive authentication data from the entity?s environment. Where technology exists to prevent recording of these data elements, such technology should be enabled. If it is not possible to prevent SAD from being recorded, the data should be securely deleted immediately upon authorization of the transaction. If secure deletion is not possible due to a legitimate technical or business constraint, compensating controls should be implemented to mitigate the risk associated with
PCI DSS requirements do not supersede local or regional laws that may govern the retention of audio recordings.
The
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried ; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formats.
This requirement does not supersede local or regional laws that may govern the retention of audio recordings.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.