The Coalfire Blog

Is it Safe to Speak? Protection for Telephone-Based Payment Card Data

April 12, 2011, Rick Dakin, CEO, Co-founder and Chief Security Strategist

Recently, the PCI Security Standards Council released educational resource requirements for securing cardholder data in audio recordings. The PCI SSC has been focusing on call center operations and recording systems of merchants. The need to provide a secure system to protect cardholder data is at an all-time high for these call centers.

The PCI SSC offers these following tips for call centers:

• Ensure appropriate retention policy is implemented and maintained. This means ensuring that cardholder data is stored only when completely necessary.
• Ensure that the PAN is masked when displayed. Full payment card data should be limited to agents on a need-to-know basis.
• Proper Authentication. All staff, agents and administrators should have their own log-in information.
• Adhere to an information security policy. Call centers need to develop daily operational security procedures that are consistent with PCI DSS requirements and defined within the organization.

If you have a call center or use external providers, make the time to have the discussion to help maintain PCI compliance with sensitive account data.