The PCI Council has published new guidance for Call Centers handling credit cards via telephone, especially when VoIP is used, and also addresses issues surrounding the storage of recorded calls.
The document, titled “Protecting Telephone-Based Payment Card Data Information Supplement” can be found at the PCI Standards Council’s official website, here:
https://www.pcisecuritystandards.org/security_standards/documents.php
This guidance addresses several key issues related to PCI Compliance for call centers, including:
- Explanation of how the PCI-DSS applies to cardholder data stored in call recording systems;
- Recommendations for assessing risk and applicable controls of call center operations;
- Specific guidance addressing the storage of sensitive authentication data, which includes suggested methods for rendering data unavailable to meet PCI-DSS requirement 3.2;
- Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services