|
|
|
|
|
|
In January 2010 the Security Council issued an FAQ article to directly discuss call
recording and PCI DSS. In this article it asserted that "if data can be queried"
then the call recorder was in scope for assessment, and storing the CAV2, CVC2,
CVV2 or CIM codes after authorisation would be a direct breach of the standard.
The FAQ went on to state that if the recordings could not be "data mined" then storage
of the CAV2, CVC2, CVV2 or CID codes after authorisation may be permissible as long
as the appropriate validation had been performed.
The terms used in this FAQ provide some clarity by advising that storing security
codes in a call recorder could result in them being a direct breach of a requirement
3.2.2. However, it does go on to use the moderately ambiguous phrase of "data mining"
to determine whether card verification code storage would be permissible.
|
|
|
Nettitude's recommendation is that in most instances, clients should attempt to
stop recording at the point of when card details are provided. Technologies such
as pause and resume can enable an organisation to remove the call recording infrastructure
from scope of assessment. If an organisation's call recording solution does not
support pause and resume, Nettitude recommends working with a QSA to determine whether
the Call Recorder can be data mined. This will vary from solution to solution and
implementation to implementation.
To find out more about how Nettitude can help you with your Compliance requirements,
please complete our contact form,
and a Consultant will respond to your enquiry.