Click here
Click here
Retail Technology, Retail technology News

PCI telephone guidance updated

Tuesday March 29 2011

Standards Council releases supplemental guidance for protecting telephone-based payment card data

Standards Council releases supplemental guidance for protecting telephone-based payment card data


The PCI Security Standards Council (PCI SSC) which manages the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), has released an educational resource on PCI DSS requirements for securing cardholder data in audio recordings.


The Protecting Telephone-Based Payment Card Data Information Supplement [PDF download] provides actionable recommendations to merchants and service providers for securely processing payment card data over the telephone.


The PCI standards, which mandate appropriate measures to protect any merchant and service provider systems that store, process and/or transmit cardholder data, also apply to organisations with call centre operations where credit card information processed over the phone may be recorded and stored.


The council said it developed the audio recording supplement to assist merchants and service providers with meeting PCI DSS requirements to secure payment data captured within voice recordings.


Getting stakeholder feedback


The guidance expands upon a PCI Council FAQ published in 2010 after industry collaboration and stakeholder feedback and outlines the types of data that are in scope of the PCI requirements for telephone operations.


It provides tactics and best practices on how to secure recorded data, with information drawn from resources developed by PCI SSC Board of Advisor member Barclaycard. This involves data types specific to PCI DSS requirements mapped in detailed tables and specific guidance on the capture of Sensitive Authentication Data, including suggested methods for rendering data unavailable by query.


"The interpretation and application of PCI requirements for call recording systems has been a focus for merchants this past year," said Bob Russo, PCI Security Standards Council general manager. "Merchants want to know what data they need to protect and how to do it. This new guidance helps them understand the right questions to ask and the steps needed to secure their cardholder data."


According to the councilís launch announcement, the new resource is designed to promote consistency among merchants, service providers and the assessor community, by providing a common set of best practices for the interpretation and implementation of PCI DSS requirements for the protection of payment card data in call centre operations.