The Security Standards Council (SSC) has released an information supplement on telephone-based payment card data. This is an update to PCI SSC FAQ 5362.

It now is clear that controls must be in place to clean and protect audio recordings; they violate PCI compliance if they store sensitive authentication data (SAD).

It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

The last sentence is the big clue. Known query tools pose a clear and present threat to SAD in audio files. The point of this supplement is to emphasize that the data needs to be protected due to the ease of querying and reading it. The controls must be documented and validated as usual.

The supplement provides a decision process flow to help illustrate different control areas. Even if no calls are recorded, for example, “Processing and transmission of cardholder data remain in scope for PCI DSS”.

One area of ambiguity remains.

Note the end of the sentence above where the Council says storage is prohibited “if that data can be queried”. Despite SAD media storage being prohibited there are some particular situations of storage — with additional controls — that may be allowed.

If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

A call center, which can validate recordings can not be data-mined, thus may be allowed to store SAD. However, at the same time the supplement says they are prohibited from storing SAD.

Pay particular attention to sensitive authentication data: Storage is not permitted.

All clear?

I wonder if the PCI Council has the humor to start a campaign called “SAD is bad. Get rid of it and be glad”. They could even distribute it as a song, in an audio file.