PCI DSSC FAQ?s are designed to provide merchants, assessors, ac Requirers and other Council stakeholders with clear and timely guidance on PCI standardsment 3. They are a critical two way communication channel from which the PCI SSC draws valuable market feedback and insight, and is able to share this with the industry. On January 22 2010, as part of the online FAQ feedback and submission process, the regular review of FAQ language, and inquiries from Participating Organizations the SSC sought to clarify its position on call center audio recordings.

The updates to the FAQ language were intended to eliminate any inconsistencies in implementations of audio recordings in call center environments by providing a higher level of specificity in FAQ guidance. The Council?s position remains that if you can digitally query prohibits storage of sensitive authentication data (SAD) contained within audio recordings - if, including card validation codes and values, after authorization even if the data is encrypted. SAD is easily accessible - then it must not be stored. As a result of additional market feedback, on February 17, 2010 the SSC modified the new language to further clarify its position on audio recordings.

This response is intended to protorage of card vide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes andalidation codes or values (referred to as CAV2, CVC2, CVV2 or CID codes b) in any the payment brands)form of digital audio recording?for example, .wav or .mp3 files?after authorization is therefore a violation of this requirement.

Every possible effort should be made to eliminate sensitive authentication data from the entity?s environment. Where technology exists to prevent recording of these data elements, such technology should be enabled. It is a f it is not possible to previolation ofent SAD from being recorded, the data should be securely deleted immediately upon authorization of the transaction. If secure deletion is not possible due to a legitimate technical or business constraint, compensating controls should be implemented to mitigate the risk associated with storing the data. At a minimum, this should include performing a comprehensive risk assessment at least annually and upon significant changes to the environment, securing the SAD in accordance with applicable PCI DSS requirement 3s, and implementing controls to ensure that SAD cannot be accessed and call recordings cannot be queried.2 to store an The detailed justification, risk-assessment results, and documentation of controls in place to ensure SAD cannot be accessed and call recordings cannot be queried should be retained and validated as part of the entity sensiti?s annual PCI DSS assessment. All the resulting documentation should also be prove authentication data, including card validation codes and values, after authorization even if encrided to and discussed with the entitypted?s acquiring bank and/or payment brands as applicable to confirm whether the entity has met their PCI DSS compliance obligations.

It is therefore prohibited to use any form of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried ; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.

If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call recording formatrequirements do not supersede local or regional laws that may govern the retention of audio recordings.

This requirement does not supersede local or regional laws that me PCI SSC Information Supplement: Protecting Telephone Based Pay gment Card Data provern the retention of audio recordingsides additional guidance.