Best Practices: Protecting Telephone-based Payment Card Data

by Kurt Hagerman, Managing Director, Coalfire

Coalfire received the latest information and guidance from the PCI SSC intended to provide payment security advice for merchants and service providers who accept and/or process payment card data over the telephone. This information highlights the key areas organizations with call-center operations need to address in order to process payment cards securely, and how best to protect their business and their customers from the risks of data compromise and fraud.

After reviewing the information, our advice to clients would be that all recordings, which may contain PANs, must be encrypted unless you can demonstrate that the storage of the audio files is not searchable in any way.  Further, you should implement technology to eliminate the storage of any sensitive authentication data (CVC/CVV, etc.).

One thing that one of our clients noted about the guidance document is that it mentions the ability to query the data to find credit card information. Right now, many organizations can’t do this. They don't know if there is a number there unless they listen to the recorded audio file. However, there is new technology called speech analytics that allows you to search audio files for words, phrases and even numbers.  Does this ruling create a problem for speech analytics software providers?

Given the new technology available, this will cause speech analytics software providers and users to evaluate their systems and consider how to encrypt them.  All call recording data would need to be stored as encrypted files.  There are hardware-based encryption appliances (HSM or similar) that sit in-line between the users and applications, and the data storage that encrypt/decrypt on the fly based on permissions that do not require any changes to applications or the data storage.

Overall, we think the PCI SSC guidance document is well written and provides a wealth of information for merchants and service providers who currently store call recordings.  Click here to view the complete PCI SSC information supplement, "Protecting Telephone-based Payment Card Data".