By Sushila Nair, Product Manager, BT Counterpane
There has been much confusion about voice and the PCI DSS standard. Initially many companies believed that voice recording of credit card numbers was out of scope and this greatly simplified the audit of many organizations with call centers. However in February 2010 the PCI Security Standards Council (PCI SSC) clearly stated that all audio and/or voice recordings that contain cardholder data are in scope for PCI DSS.
The guidance for call centers is located here.
It is important to understand that the same controls apply to voice recordings that are stored digitally as it does to any other kind of digital payment card data.
It is a violation of PCI DSS 2.0 requirement 3.2 to store any Sensitive Account Data (SAD) including card validation codes and values, after authorization – even if it has been fully encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc.) for storing the additional authentication information often taken during card not present transactions.
The lack of understanding that tools that mine payment card data from audio recordings exist has resulted in the fact that many organizations believed voice recordings were not in scope. As the information that digital audio recordings were in scope, organizations have turned to solutions that will “white out” the noise or stop recording when the card details are taken by the call center to reduce the scope of PCI.
There are however, many challenges with audio recordings and compliance including archived tapes which has unencrypted data, the capability to by-pass the control to stop recording and most importantly the impact to legal admissibility of a tape where the recording has been stopped and restarted.
Legal admissibility is often why we record calls in the first place so developing a solution that is legally admissible but PCI compliant can be challenging. The pausing of the recording enables a series of unrecorded events to transpire reducing the tape to be of questionable in value in a court of law. The capability to “white out” rather than to restart recording seems preferable from many a stand point.
This year the area of voice and PCI DSS was further complicated by the document offering guidance surrounding telephone based card payments by implying that VoIP is in scope. The new guidelines state that VoIP calls that include credit card details and traverse public networks must be protected. The PCI SSC guidance states:
Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network must be using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec). Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used.
Securing voice traffic on networks isn’t very different from securing any data traffic on an IP network. The infrastructure needs to be patched and protected in much the same way as any critical infrastructure that is part of the payment card network.
The question becomes what controls are in place to stop the VoIP traffic from being reassembled or from key infrastructure from being infected. The clarification on VoIP has yet really to be absorbed by the industry, as most organizations are unaware of the recently published guideline and so 2011 may prove to be a busy year on compliance for more than one organization.
