GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Payment fraud, rising to the challenge

Patti Murphy
The Takoma Group


Industry Update

Did hackers gain insight into RSA's methodology?

Comodo compromise draws swift response

PCI SSC dials up call center compliance

Fifth Third seeks innovation through open platform

Trade Association News


Do Tell

Innovations in check scanners

David Peterson

B2B payment fraud

Integrating your marketing efforts

Selling Prepaid

Prepaid in brief

Momentum builds for maritime cards

Providing prepaid self-serve for global markets


PII and merchant portfolio acquisition

Daniel Federgreen

Social redemption at the POS

Paul Rasori
VeriFone Inc.


Street SmartsSM:
Straight talk on professional certification

Bill Pirtle
MPCT Publishing Co.

Leads, leads, leads - Part 3: Lead nurturing

Peggy Bekavac Olson
Strategic Marketing

Coach your way to a stronger organization

Vicki M. Daughdrill
Small Business Resources LLC

Projecting confidence, inspiring trust

Jeff Fortney
Clearant LLC

How to reboot a stalled PCI program

Tim Cranny
Panoptic Security Inc.

A brief on prospecting

Jeffrey Shavitz
Charge Card Systems Inc.

Company Profile

Merchant Implementation Services

New Products

A CRM solution for MLSs

Powerhouse Sales Agent CRM
Powerhouse Payments LLC


Stick with the truth


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

April 11, 2011  •  Issue 11:04:01

previous next

PCI SSC dials up call center compliance

To mitigate the increasing levels of fraud directed at MO/TO operations, the governing authority of the Payment Card Industry (PCI) Data Security Standard (DSS) issued an educational resource that details tactics and best practices for securely processing payment card transactions over the telephone. The new supplement outlines what card data call centers need to protect and how to do it.

The supplement, entitled Protecting Telephone-Based Payment Card Data Information Supplement, explains how the PCI DSS applies to cardholder data stored in call recording systems.

It also helps merchants determine what controls are necessary to ensure call recordings meet the PCI DSS, suggests methods for securing that data and offers guidance on how to implement security requirements. The PCI DSS mandates that sensitive authentication data, such as the three- or four-digit card verification value numbers on payment cards, cannot be retained by merchants, and that the full primary account numbers cannot be stored without certain security measures being implemented.

Thus, call centers that accept customer payment card details over the phone and then store recordings of those phone conversations on merchants' internal systems pose a risk of data theft and are not in compliance with the PCI DSS.

Staying in touch

The PCI Security Standards Council (PCI SSC) believes the supplement is important for ISOs and merchant level salespeople because the threat landscape for fraud has migrated away from brick-and-mortar and e-commerce environments due to the successful application of risk mitigation strategies. Now, fraudsters are targeting MO/TO payments, where protections for sensitive cardholder data may be lacking.

At call centers, customer-service provider interactions are often recorded and stored digitally on internal systems. "And therefore what we see, as with many other of the breaches that take place, is that the criminals hack in remotely or occasionally hack in with the support of a rogue employee," said Jeremy King, European Director for the PCI SSC.

What makes call centers especially vulnerable is the volume of calls many centers receive, King added. "It's because they are dealing with so many calls per hour," he said. "There can be a lot of people interfacing directly with the cardholder and, therefore, there are lots of opportunities for the card data and the sensitive authentication data to be recorded."

Such data may be transferred from the call agent to a supervisor and be stored at multiple locations within the center, he explained. And, then, if the data gets backed up, "suddenly the whole infrastructure's awash with sensitive authentication data," he said.

Sensitizing centers to data security

According to King, many governments and law enforcement agencies require that call centers record customer interactions for purposes of verification. The U.K.'s Financial Services Authority, for example, mandates financial institutions that advise customers on mortgages "must have the call recorded to show that the person who was wishing to take out a mortgage did undertake the call," King said.

During that conversation, if a transaction is conducted and card data is taken, the PCI DSS requirements apply. "They must realize that [call centers] are the frontlines and that they have a role to play in protecting the cardholder data that comes in," King said.

"The IT specialists in the organization have a role to play to make sure this data is not just wandering through the systems, and also to make sure that they are locking down and securing their systems from external attack." King reports that more and more businesses with call centers are recognizing that they need to bring their centers into PCI compliancy. In fact, the supplement was created after the PCI SSC received feedback from some of its participating organizations that guidance was necessary. "This provides a good guidance for those who start asking the questions," King said.

The supplement can be accessed online at under the Information Supplements heading.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios