Inside New PCI GuidancePCI Council on Protecting Stored Digital Card Data
PCI's "Protecting Telephone-Based Payment Card Data Information Supplement" provides actionable recommendations to merchants and service providers for securely processing payment card data over the telephone. Jeremy King, European regional director for the PCI Security Standards Council, says the new guidance addresses the same concerns posed by face-to-face and e-commerce payments. "As with all transactions, we have a standard saying, 'If you don't need it, don't store it.' And really that applies into this sector as well," he says.
What makes phone-based payments somewhat unique, and more vulnerable, King says, is the capture of storage of sensitive authentication data, such as the CVV or CVC code. "The voice recordings we classify as card-not-present transactions," King says. "That means, usually, in addition to the card number, the CVV code is given, and this is sensitive authentication data that does not need to be and should not be stored."
During this interview, King discusses:
- Key points from the guidance for complying with the PCI Data Security Standard;
- Why the storage of card data collected by call centers and other telephone-based systems is a concern;
- Steps the payments industry is taking to balance compliance with local laws that require recording payment-card calls and PCI-DSS.
King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. King's responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs. He also spent more than 14 years working in the United Kingdom semiconductor industry and has a strong background in emerging technologies, including contactless cards, encryption and mobile payments.