|
|
#1
04-13-2007, 07:07 AM
|
|||
|
|||
PAN in IVR
Can anyone provide guidance for dealing with the requirement to encrypt stored PAN in an IVR situation?
Thousands of calls are recorded each day with the potential that maybe 5-10 of those conversations might contain PAN. The application does store the data in a propriatary format and only reeadable through the particular application. Yet, the data is not actually encrypted. Any advice would be most welcome. 
|
|
#2
04-13-2007, 06:05 PM
|
|||
|
|||
|
Can you control/limit/advise called to not provide the PAN?
If not, then: Does the IVR app need to store the PAN? e.g. if its an error log, then maybe the error log routing can mask PANs when the error is logged Can the IVR app be updated to encrypt PANs or all "account" values? Can the IVR store its data files to an encrypted folder/volume? Get another IVR? (not usually a nice option). IVR is really tricky as mostly, the technology isn't designed or intended to handle sensitive data.
|
|
#3
05-01-2007, 06:33 PM
|
||||
|
||||
|
This is a question for your QSA, but you need to remember to take a risk based approach to this. Yes, you are storing PAN information, but it's not in a searchable format so the risk is much lower. Either you can encrypt the data or identify a compensating control.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
