Voice Data! [Archive] - Society of Payment Security Professionals Forum

View Full Version : Voice Data!

tk1

03-07-2009, 10:07 AM

Hi All,

Situation:
An e-commerce organization’s call center agents' conversation with the card-holder is recorded and stored (backed up). The conversation can potentially include CVV data.
Advice Request:
1. Should the voice data be included in the scope of PCI DSS just like other data?
2. What to do with the CVV data in the voice storage?

3. Under what circumstances the debit card holder data (in canada-even if the card does not have any of the 5 brand logos) is subject to PCI DSS?

Thanks in advance.

downeypci

03-07-2009, 05:47 PM

The PCI Security Standards Council website has an article specifically addressing voice recordings at call centers. Go to https://www.pcisecuritystandards.org/, click on FAQ, then enter "5362" in the "search for articles" box.

jonassono

03-08-2009, 08:53 AM

Debit cards in Canada are issued directly by the banks, trusts and credit unions, and not by any of the card brands. They operate over entirely separate (from Credit Cards) networks, i.e. Cirrus & Interac and, accordingly, are not subject to PCI-DSS compliance.

tk1

03-08-2009, 11:03 AM

Thanks Both. In reference to the Debit Card Data being in PCI DSS scope, what if an international customer visiting Canada uses his/her debit card at the specific merchant, would it bring them in scope?

jbhall56

03-08-2009, 01:01 PM

It doesn't matter whether it is a debit card or a credit card as long as it is branded with a Visa or MasterCard logo. Either are PCI in-scope.

jonassono

03-09-2009, 06:50 AM

While most international debit cards work fine with ATMs in Canada for various banking transactions, Canadian merchants generally will not/cannot process non-Canadian debit cards. The few exceptions are merchants that are also members of the NYCE and have elected to accept foreign debit cards by becoming an NYCE member.

In the US, only NYCE member merchants can process Canadian debit cards and only selected Canadian financial institutions allow for foreign debit card transactions. In general, US merchants cannot/will not accept Canadian debit cards.

Regardless of all of this, debit cards are not subject to PCI-DSS in Canada, no matter who issues them.

EmmaJenkinsVeritape

04-02-2009, 06:29 AM

tk1, You may already have the answer you want, considering your original post is a few weeks' old, but if not, you could check out Veritape's guide to PCI DSS and recorded phone calls at www.veritape.com, under the compliance section.

Feel free to contact me through that site, or through this forum, if you want more information.

Thanks,

Emma.