Call Centers Receive Guidance on Protecting Credit Card Data
If you handle credit card data, you fall within the scope of the Payment Card Industry’s Data Security Standard (PCI DSS).
That’s the central message of a new supplemental guidance document the PCI Security Standards Council released in mid-March.
The “Protecting Telephone-Based Payment Card Data Information Supplement” provides actionable recommendations to merchants and service providers processing payment card data over the phone. Additional advice is offered on protecting cardholder data in recorded transactions.
The PCI standards apply to organizations with call center operations where credit card information processed over the phone can be recorded and stored, exposing cardholder data to risk. “The underlying goal is to protect the cardholder’s data throughout the transaction process,” explains Jeremy King, European director of the Security Standards Council.
The council developed the information supplement to help merchants and service providers meet PCI DSS requirements to secure payment data captured within voice recordings. Its main message is simple, King says: If you don’t need it, don’t store it. And if you do need it, store it for the minimum time possible and make it unreadable with truncation and encryption, he adds.
A product of industry collaboration and stakeholder feedback, the guidance expands on a PCI Council FAQ published in 2010. “We felt it was necessary to come out with a special guidance document for the call center,” King says. The guidance highlights the key areas that organizations with call center operations must address to process payment cards securely and outlines how best to protect their businesses and customers from the risks of card data compromise. Included are the following:
• an explanation of how PCI DSS applies to cardholder data stored in call recording systems, with tables that map data types to PCI DSS requirements;
• recommendations for merchants when assessing risk and applicable controls of call center operations, with a quick reference flow chart that provides a step-by-step process for determining necessary controls to meet PCI DSS requirements for voice recordings;
• specific guidance addressing the storage of sensitive authentication data, including suggested methods for rendering data unavailable under query to meet PCI DSS requirement 3.2; and
• guidance on key considerations faced by call centers when implementing PCI DSS requirements, including recommendations and best practices.
King acknowledges that the laws of individual countries on processing credit card data supersede the PCI Council’s standards, and that the standards council is not an enforcement body. But most card issuers have their own penalties for companies that violate PCI standards.
The attention to call centers reflects changes in the industry and the tactics used by criminals, King notes, “Criminals are now targeting call centers because they know there will be cardholder data stored within their systems. If a criminal [hacks into the system] and takes that data, the cost to the merchant is much more substantial than the cost to become PCI-compliant.”
News Editor Leonard Klie can be reached at lklie@infotoday.com.