PCI DSS Requirement 3.23.1 prohibits storage of  sensitive authentication data (SAD),  including card validation codes and values, after authorization even if the data is  the data is encrypted.  Storage of card validation codes or values (referred to as CAV2, CVC2, CVV2 or CID) in  any form of digital audio recording?—for example,  .wav  or .mp3 files? files—after authorization  is therefore a violation of this requirement. 

If SAD is collected during a call, every effort must be made to prevent the data from being recorded. Where technology exists to suppress or redact audio during data entry, it should be enabled.

Every possible effort should be made to eliminate sensitive authentication data from the entity?s environment. Where technology exists to prevent recording of these data elements, such technology should be enabled. If it is not possible to prevent SAD from being recorded, the data should be securely deleted immediately upon authorization of the transaction. If secure deletion is not possible due to a legitimate technical or business constraints, compensating controls should be implemented to mitigate the risk associated with storing the data. At a minimum, this should include performing a ce compensating control process should include:

Comprehensive risk assessment at leasts, annually and upon significant changes to the environment, securing the.
Securing SAD in accordance with applicable PCI DSS requirements, and implementing controls to ensure that.
Controls preventing SAD cannot be accessed and call recordings cannot beaccess and call recording queried. s
Documentation of controls, detailed justifications, risk assessment results, and evidence of compliance

The detailed justification, risk-assessment results, and documentation of controls in place to ensure SAD cannot be accessed and call recordings cannot be queried should be retained andse controls are validated as part of the entity?sduring annual PCI DSS assessment. All the resulting documentation should alsos and shared with acquirers/payment be provided to and discussed with the entity?s acquiring bank and/or payment brands as applicable to confirm whether the entity has met their PCI DSS compliance obligationsrands as needed.

PCI DSS requirements do not supersede local or regionaldoes not override local or regional audio retention laws that m. Refer to the Information Supplement: Protecting Telephone-Based Pay govern the retention of audio recordingsment Card Data for further guidance.

The PCI SSC Information Supplement: Protecting Telephone Based Payment Card Data provides additional guidance.