PCI DSS and call recording - the basics
To increase controls around cardholder data and help prevent payment card fraud, the Payment Card Industry (PCI) has established a single set of Payment Card Industry Data Security Standards - PCI DSS.
Payment card data divides into two groups:
- Customer identifiable data, such as name and address
- Sensitive authentication data, specifically the printed security code and magnetic stripe data
Any business or organisation that takes card payments over the telephone and records their calls is directly affected by Section 3.2 of PCI DSS. This states that no sensitive authentication data may be stored, in any format, once a transaction has been authorised. This directive does extend to contact centres which use call recording.