March 24, 2011

Data Protection versus Record Retention

PCI-DSS | Telephone

Like the so-called right to be forgotten, requirements of the Payment Card Industry Data Security Standard (the PCI) can clash with record retention needs.  The PCI sets industry standards for credit card merchants to secure card data.

A student in my SANS legal course related the following story.  PCI Section 3.2.2 states:  “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.”  His company, a credit card merchant, takes card payments over the
telephone in live voice transactions between customers and the company’s representatives.  For each transaction, the company audio records the entire voice exchange.  Naturally, the company takes from the customer the card verification code covered by PCI 3.2.2.  As the customer vocalizes that code, the company makes an audio recording of the code.

The company noted that to record the code is a violation of the literal words of PCI 3.2.2.  However, the company also noted that legal and business imperatives call for it to retain the full audio record.  That record is needed in the event of a dispute with a customer.  A customer might try to repudiate a transaction, claiming it never happened.  Without the record, the company would lack strong evidence that the customer entered the transaction.  

Further, that audio record protects the company from other problems such as internal fraud by employees and allegations of tax evasion.  (Example: A tax authority might investigate whether the company understated its profit, assets or revenue by mis-recording the value of its rights, assets or accounts receivable applicable to credit card transactions, including recurring and contingent transactions.  Those audio records help the company prove that it properly accounted for transactions.)

Therefore, with the advice of counsel, the company decided it would store the card verification codes in audio records contrary to PCI 3.2.2.  The company would also take alternative measures to protect the data on those records from misuse or wrongful disclosure.

Dear reader: What do you think about this story?

-–, Practicing Attorney and SANS Institute Instructor on the Law of Data Security and Investigations (including e-records and e-discovery)

Mar 24, 2011 9:02:14 AM | accounting, SANS, standard, tax evasion

4 Comments

Larry

Interesting, but shouldn't they as MEMBERS of the Industry who issued the Standard be reporting TO THE INDUSTRY there is an inconsistency between required business needs and practices stated in the language contained in the Standard?

Standards are only as good as they are applicable. If language needs to be modified or added to meet business needs, such as "Store card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions utilizing secure, limited access means.”, then it should be suggested to the PCI. Subsequently, examples should be provided of what those 'means' would include.

Posted by: Larry | March 25, 2011 at 09:39 AM

Benjaminwright

Larry: Thank you for your comment. I do not believe that the tradeoff between data protection and record retention is well understood. I have seen very little discussion of it in the context of PCI or data security guidelines, such as the "right to be forgotten" coming out of EU. One reason I published this story is to help all of us learn to balance the need for destroying sensitive data, on the one hand, against the need to preserve records for legal and other purposes, on the other. --Ben

Posted by: Benjaminwright | March 25, 2011 at 10:17 AM

Larry

Ben your point is understood and its possible the distinction is NOT well understood, but isn't it imperative that the body issuing Standards for the Industry be made aware of this distinction?

Writing Standards that are going to be ignored by the Industry they impact is counter productive, and if it happens because they don't understand how their work practices... the two should talk!

Posted by: Larry | March 28, 2011 at 10:23 AM

Albatross

I worked for a major retailer a few years ago who proudly upgraded all the security cameras in their retail stores with new, high-quality versions. Shortly thereafter it was discovered that the cameras had sufficient zoom and clarity to clearly record the front and back of a credit card as a customer made a payment.

Faced with having to add their video security system to the PCI security domain, the retailer dispatched contractors to install limiting brackets on their brand-new, high quality cameras, to prevent their being able to zoom in sufficiently close to capture the credit card image.

Posted by: Albatross | November 04, 2011 at 03:50 PM

The comments to this entry are closed.

NEXT POST
Cyber Law Professional Education A prospective student in my SANS Legal 523 course had trouble getting a visa so she could travel to the US to attend the course. Following is the heart of a letter I wrote on her behalf to the US embassy in her country. [begin letter] I send this letter in support of a visa application by the “Applicant”, a lawyer for [a non-US revenue authority]. The Applicant is applying for a visa so she can attend a professional seminar titled “Law of Data Security and Investigations” (the “Seminar”) in Orlando, Florida. I am the instructor for the Seminar. I created the content for the Seminar, and I have been teaching the Seminar regularly for about eight years. The Seminar is organized under the SANS Institute, sans.org, premier outfit for training professionals on computer policy, security and forensics issues. The Seminar is held five times a year, in various cities around the US. These cities are selected for their good transportation and large hotels. The Seminar is always held as part of a larger technology...
PREVIOUS POST
Real-Time Evidence for Cloud Investigations Narrated Screencast Assures Investigator’s Personal Accountability The collection of cloud evidence vexes investigators, whether they be police, auditors or consumer watchdogs. As more and more social and commercial interactions occur in the Internet cloud, new methods are needed for proving what happened. Traditional Forensics Methods Usually Don't Apply in the Cloud Traditional digital forensics emphasizes an investigator gaining access to data stored on a computer, such as in a hard drive, where records show what happened through the computer (web surfing, email writing). Yet our digital lives are becoming centered less in our computers and more in the cloud, where we mingle by way of numerous, increasingly mobile, disposable, interchangeable devices. An investigator may never get access to the relevant user or service provider device(s), even though he can witness a live online event by connecting to it through his own computer. Online content is ephemeral. A Facebook Wall can show one thing now and something different a minute later. A chat session or an online game can transpire in a flash. How should a...

Benjamin Wright

Attorney Benjamin Wright helps others navigate the law of technology.

The Typepad Team

Search

Become a Fan

My Other Accounts

Recent Comments