Information Security
encryption pci-dss credit-card phone pci-scope
Updated Sat, 25 Jun 2022 04:10:57 GMT

PCI DSS - Recorded Phone Conversations

I am using the using the following image from FishNet Security as a sort of guide for the data flow diagram required by PCI DSS as defined by:

1.1.3 Current diagram that shows all cardholder data flows across systems and networks

enter image description here

Let's say in addition to this diagram that we receive phone call payments inside of the storefront section of the image and the phone calls are recorded for both training and review purposes. Even if the audio is encrypted, is the stored phone call data considered sensitive card data and thus in scope for the diagram?


Yes, it's in scope. There's actually a pretty thorough and explicit guide from the PCI Security Standards Council (the DSS people) to your exact question here:

Information Supplement: Protecting Telephone-based Payment Card Data

Which makes reasonably clear statements like this about card numbers:

Call centers will need to ensure that PAN data is rendered unreadable (for example, encrypted using strong cryptography) when stored.

This is part of PCI DSS Requirement 3.4 and includes ensuring PANs stored within the QA/recording and CRM solutions are encrypted using strong cryptography, or are otherwise rendered unreadable.

and this about CVV:

It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

...and it goes into all the other ways call centers and recordings are impacted (e.g., network encryption, authentication and authorization, etc. etc.)

Comments (2)

  • +0 – I was very certain it would be in scope, but I was having trouble finding the document that defined it. So, pretty much you have to have a way to pause/delete a portion of the recording or not record it at all if you want to save call details. — Dec 16, 2014 at 21:45  
  • +2 – Call centers I've called that needed the CVV will say "I'm going to transfer you to another system to type in your CVV; wait until you're asked then type it in and press pound and you'll come back to me." That small segment of the call goes unrecorded, and after pressing pound you're shunted back to the recorded portion of the system. So, yeah, the technology exists. If you're already using call center software, ask them how they help you with PCI compliance. — Dec 16, 2014 at 21:49