PCI Council Looks to Boost Call Center Data Security

The Payment Card Industry Security Standards Council on Friday released guidelines for handling and storing card data within audio recordings at call centers.

The announcement responds to growing concerns about cardholder data being exposed when merchants process payments over the telephone.

The council considers the recommendations, which grew out of preliminary guidelines it published last year, to be timely because fraud associated with card-not-present transactions is rising, Jeremy King, the council's European director for security, said in an interview.

"As fraudsters continue to target specific industries and channels, we have received a lot of questions about how call centers should handle card data exposed during telephone ordering processes," King said.

Though King did not provide specific examples of any data breaches involving call centers, he said that according to the council's research, "call centers are definitely being targeted for fraud by criminals."

The Protecting Telephone-Based Payment Card Data Information Supplement to the PCI's data security standard includes detailed descriptions of how card data typically enters a call center and step-by-step processes for handling, securing and storing such data.

More and more merchants around the world are required to record customer telephone calls involving merchandise and service orders, according to King. When that is the case, merchants must determine at which points sensitive card data is recorded and carefully track its path.

The council recommended that merchants and service providers deploy technology from a variety of vendors that automatically truncates or masks portions of primary account numbers and sensitive cardholder data, such as three- and four-digit card-verification codes and PINs.

Call centers also should not retain such sensitive card data after transactions are authorized, the council advised.

Wherever cardholder data is transmitted across public networks, the information must be encrypted using "strong encryption protocols," the council recommended. Call centers also must ensure that payment card data is "only stored when absolutely necessary" and that procedures are put in place for the timely disposal of such data.

King said he had no knowledge about whether the payment card brands will enforce the council's recommendations on card data security for call centers.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER