PCI-DSS | Telephone
Like the so-called right to be forgotten, requirements of the Payment Card Industry Data Security Standard (the PCI) can clash with record retention needs. The PCI sets industry standards for credit card merchants to secure card data.
A student in my SANS legal course related the following story. PCI Section 3.2.2 states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.” His company, a credit card merchant, takes card payments over the telephone in live voice transactions between customers and the company’s representatives. For each transaction, the company audio records the entire voice exchange. Naturally, the company takes from the customer the card verification code covered by PCI 3.2.2. As the customer vocalizes that code, the company makes an audio recording of the code.
The company noted that to record the code is a violation of the literal words of PCI 3.2.2. However, the company also noted that legal and business imperatives call for it to retain the full audio record. That record is needed in the event of a dispute with a customer. A customer might try to repudiate a transaction, claiming it never happened. Without the record, the company would lack strong evidence that the customer entered the transaction.
Further, that audio record protects the company from other problems such as internal fraud by employees and allegations of tax evasion. (Example: A tax authority might investigate whether the company understated its profit, assets or revenue by mis-recording the value of its rights, assets or accounts receivable applicable to credit card transactions, including recurring and contingent transactions. Those audio records help the company prove that it properly accounted for transactions.)
Therefore, with the advice of counsel, the company decided it would store the card verification codes in audio records contrary to PCI 3.2.2. The company would also take alternative measures to protect the data on those records from misuse or wrongful disclosure.
Dear reader: What do you think about this story?
-–Benjamin Wright, Practicing Attorney and SANS Institute Instructor on the Law of Data Security and Investigations (including e-records and e-discovery)