How to protect credit card data over the phone – and pass PCI DSS

RELATED CONTENT Compliance standards and regulations Biometric authentication systems vs. token-based systems What are the dangers of using social networking sites? Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Mathieu Gorge Pose a Question Other Security UK Categories Meet all Security UK Experts Become an Expert for this site

ANSWERED October 2009:
A number of organisations have recently been asking how they can comply with PCI DSS if they have to store call records to ensure good customer service and train employees. This is a tricky question, and there does not seem to be a universal answer from Qualified Security Assessors (QSAs) who validate PCI DSS compliance.

In the U.K., the Financial Services Authority introduced legislation that requires companies to record and store phone conversations. However, if you are taking customer credit card details and data over the phone, the fact that some recorded calls may contain the full details of cardholder data (CHD) is an issue as regards to PCI DSS compliance. Indeed, PCI DSS states that CVV (Credit Card Validation Value -- the three-digit security code) information cannot be kept and that the full personal account number cannot be kept either (it should not be stored at all or it should be truncated or hashed). So where does that leave U.K. businesses taking orders over the phone?

The advice is to work with your QSA and acquiring bank to put in place a compensating control that fits your business model and maintains the highest security levels for CHD. You will need to demonstrate that due to FSA compliance regulations, you must store this data and demonstrate that you are using every available means to protect the data to meet the original intent of PCI DSS relevant controls.

This needs to be documented using the relevant forms, validated by your QSA, and ideally it should also be discussed in detail with your acquiring bank in advance. To ensure that the compensating control is meeting the intent of the original control, tapes or disk drives (if using VOIP recording systems) used to record the information must be clearly labelled, inventoried and encrypted following PCI DSS encryption guidelines.

You should also restrict access to the physical tapes as well as logical access to the product used to record the calls, and ensure that all interaction is logged. Storage and backup of the recording solution must not become a backdoor to this solution. In addition, a destruction policy should be put in place such that call records are not kept any longer than required by FSA. Incidentally, this also helps you meet the 5th of the eight principles of the U.K. Data Protection Act, which says you should not hold data for longer than is necessary.

This is an area that the PCI Security Standards Council is focusing on more, and it would be a fair guess to expect that a working group will be created to discuss these issues and that an information supplement will be published at some stage. Meanwhile, it is advisable to find a call recording product allowing you to track logical and physical access to media containing data. It should also provide encryption features, strong authentication and detailed reporting and logging.