This post was written by John Hines and Amy Mushahwar.
Are you recording credit card magnetic stripe data, CAV2, CVC2, CID, CVV2 or PIN data?
Many businesses record telephone calls for a number of purposes including regulatory compliance and customer service monitoring. For those companies that also take credit card payment information over the phone, please be advised that PCI Security Standards Council issued a clarification regarding call center recordings that has generated a number of calls to our offices, excerpted below.
[i]t is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled.
If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.
This requirement does not supersede local or regional laws that may govern the retention of audio recordings.
Please see the full PCI Security Standards Counsel clarification .