FAQ #1210 Diff

PCI DSS Requirement 3.23.3.1 prohibits storage of  sensitive authentication data (SAD),  including card validation codes and values, after authorization even if  the data is  encrypted.  Storage of card validation codes or values (referred to as CAV2, CVC2, CVV2 or CID) in  any form of digital audio recording?forrecording—for example,  .wav  or .mp3 files?after files—after authorization  is therefore a violation of this requirement. 

If SAD is collected during a call, every effort must be made to prevent the data from being recorded. Where technology exists to suppress or redact audio during data entry, it should be enabled.

EveryIf it is not possible effortto prevent SAD from being recorded, the data should be made to eliminate sensitive authentication data from the entity?ssecurely deleted immediately upon authorization of the transaction. If secure deletion is not possible due to legitimate technical or business constraints, compensating controls should be implemented to mitigate the risk associated with storing the data. At a minimum, the compensating control process should include:

Comprehensive risk assessments, annually and upon significant changes to the environment. Where technology exists to prevent
Securing SAD in accordance with applicable PCI DSS requirements.
Controls preventing SAD access and call recording of these data elements, such technology should be enabled. If it is not possible to prevent SAD from being recorded, the data should be securely deleted immediately upon authorization of the transaction. If secure deletion is not possible due to a legitimate technical or business constraint, compensatingqueries
Documentation of controls, detailed justifications, risk assessment results, and evidence of compliance

These controls should be implemented to mitigate the risk associatedare validated during annual PCI DSS assessments and shared with storing the data. At a minimum, this should include performing a comprehensive risk assessment at least annually and upon significant changes to the environment, securing the SAD in accordance with applicable PCI DSS requirements, and implementing controls to ensure that SAD cannot be accessed and call recordings cannot be queried. The detailed justification, risk-assessment results, and documentation of controls in place to ensure SAD cannot be accessed and call recordings cannot be queried should be retained and validatedacquirers/payment brands as part of the entity?s annual PCI DSS assessment. All the resulting documentation should also be provided to and discussed with the entity?s acquiring bank and/or payment brands as applicable to confirm whether the entity has met their PCI DSS compliance obligations.needed.

PCI DSS requirements dodoes not supersedeoverride local or regional laws that may govern theaudio retention of audio recordings.

The PCI SSC laws. Refer to the Information Supplement: Protecting Telephone BasedTelephone-Based Payment Card Data provides additional for further guidance.