New PCI Guidance IssuedCouncil Releases Steps for Protecting Voice-Recorded Card Data
Often overlooked as a vulnerable payments channel, card data collected via telephone- or voice-based payments have become cybercriminals' newest targets, says Anton Chuvakin, author of "Security Warrior" and a recognized international expert on PCI security.
"Think about where you use your credit card: You can swipe the card at a machine, or you have e-commerce, where you can buy something online at Amazon, for instance," Chuvakin says. "But the third, which is also quite big and which most people don't think about, is telephone payments."
The PCI Council's "Protecting Telephone-Based Payment Card Data Information Supplement" provides actionable recommendations to merchants and service providers for securely processing payment card data over the telephone. Jeremy King, European regional director for the PCI Security Standards Council, says the new guidance addresses the same concerns posed by face-to-face and e-commerce payments. (Listen to this interview about the guidance: Inside New PCI Guidance.) "As with all transactions, we have a standard saying, 'If you don't need it, don't store it.' And, really, that applies into this sector as well," he says.
What make phone-based payments somewhat unique, and more vulnerable, King says, is the capture and storage of sensitive authentication data, such as the CVV or CVC code. "The voice recordings we classify as card-not-present transactions," King says. "That means, usually, in addition to the card number, the CVV code is given, and this is sensitive authentication data that does not need to be and should not be stored."
Most payments made to call centers or over the phone with service representatives are recorded, Chuvakin says. Yet until now, these payments fell outside the purview of the Payment Card Industry Data Security Standard. "The merchants have for a long time asked the PCI Council, 'How do we apply these standards to the audio?'" he says. "PCI has said, if there is no way to extract the card data from the audio, then it does not apply to PCI."
But the advent of digitally recorded files, which are quickly becoming more the norm than the exception to audio-tape call backups, can easily be searched. Chuvakin says hackers are targeting these digital files and, in fact, are finding it quite easy to extract card numbers and details. "Because so many recordings are electronic, and ask you to enter your card number on the keypad, the number being input or entered is recorded electronically, and that means you have cardholder data that can be searched, and it's a big mess," he says.
Chuvakin says the industry has hit a "boiling point." More merchants are using audio recordings, but are not encrypting or destroying the data. "It's usually protected less often than electronic cardholder information," he says.
What the Guidance SaysThe guidance highlights areas for payment-card security and outlines best practices for cardholder risk mitigation.
Some of the guidance's key points:
- Explanation of how the PCI-DSS applies to cardholder data stored in call recording systems;
- Recommendations for assessing risk and applicable controls of call center operations;
- Specific guidance addressing the storage of sensitive authentication data, which includes suggested methods for rendering data unavailable to meet PCI-DSS requirement 3.2;
- Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements.