PCI and Audio Recordings of Validation Codes
Organizations with call centers trying to comply with the PCI DSS have encountered a particularly thorny issue of late. Call center software packages often record calls, which can include the spoken card number, expiration date, and validation codes (e.g., CVV2, CVC2, etc.) While call centers can encrypt the audio recordings to protect the card numbers, the PCI DSS is explicit in prohibiting storage of sensitive authentication data, such as magnetic stripe values or CVV2 values after a transaction has been authorized. Removing these values from audio recordings is, at best, troublesome. Recently, however the [PCI SSC](http://www.pcisecuritystandards.org) has clarified its position on this particular circumstance. For call centers only when dealing with audio recordings of validation codes only, these data may be retained under the following circumstances: * There is no 'commercially reasonable' technology to remove the prohibited data elements * All other PCI DSS controls must be in place to protect the audio data * Individual data elements can never be directly queried from within the audio recordings, nor can any process extract them and transpose them into a report or other file format Removable media such as backups containing these data must also adhere to these restrictions.