Responding to growing concerns about cardholder data being exposed when merchants process payments over the telephone, the Payment Card Industry Security Standards Council on March 18 announced guidelines for handling and storing card data within audio recordings at call centers.
The council considers the new recommendations, which grew out of preliminary guidelines the council published last year, to be timely because fraud associated with card-not-present transactions is rising, Jeremy King, the council’s European director for security, tells PaymentsSource.
“As fraudsters continue to target specific industries and channels, we have received a lot of questions about how call centers should handle card data exposed during telephone-ordering processes,” King says.
Though King did not provide specific examples of any data breaches involving call centers, he noted that according to the council’s research, “call centers are definitely being targeted for fraud by criminals.”
The Protecting Telephone-Based Payment Card Data Information Supplement to the PCI’s data-security standard includes detailed descriptions of how card data typically enter a call center and step-by-step processes for handling, securing and storing such data.
More and more merchants around the world are required to record customer telephone calls involving merchandise and service orders, according to King. When that is the case, merchants must determine at which points sensitive card data are recorded and carefully track its path.
The council recommends that merchants and service providers deploy technology available from a variety of vendors that automatically truncates or masks portions of primary account numbers and sensitive cardholder data, such as three- and four-digit card-verification codes and PINs.
Call centers also should not retain such sensitive card data after transactions are authorized, the council advises.
Wherever cardholder data are transmitted across public networks, the information must be encrypted using “strong encryption protocols,” the council recommends.
Call centers also must ensure that payment card data are “only stored when absolutely necessary” and that procedures are put in place for timely disposal of such data.
The council also advises organizations to consider developing processes minimizing the need for agents to enter card information into systems and to consider temporarily halting telephone recording during the moments when sensitive card data are exchanged.
Training within call centers should include protocols ensuring that only a limited number of agents have access to unencrypted payment card data.
King says he has no knowledge about whether the payment card brands will enforce the council’s recommendations on card-data security for call centers, but he notes that “call centers tend to be international operations, and concerns about fraud through call centers are a global issue.”
