The Security Standards Council (SSC) has released an information supplement on telephone-based payment card data. This is an update to PCI SSC FAQ 5362.

It now is clear that controls must be in place to clean and protect audio recordings; they violate PCI compliance if they store sensitive authentication data (SAD).

It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

The last sentence is the big clue. Known query tools pose a clear and present threat to SAD in audio files. The point of this supplement is to emphasize that the data needs to be protected due to the ease of querying and reading it. The controls must be documented and validated as usual.

The supplement provides a decision process flow to help illustrate different control areas. Even if no calls are recorded, for example, “Processing and transmission of cardholder data remain in scope for PCI DSS”.

One area of ambiguity remains.

Note the end of the sentence above where the Council says storage is prohibited “if that data can be queried”. Despite SAD media storage being prohibited there are some particular situations of storage — with additional controls — that may be allowed.

If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

A call center, which can validate recordings can not be data-mined, thus may be allowed to store SAD. However, at the same time the supplement says they are prohibited from storing SAD.

Pay particular attention to sensitive authentication data: Storage is not permitted.

All clear?

I wonder if the PCI Council has the humor to start a campaign called “SAD is bad. Get rid of it and be glad”. They could even distribute it as a song, in an audio file.

Technically he was convicted on a separate charge so he did not go free, but he charges against him for hacking into a WiFi network were dismissed. PC World gives the following explanation:

A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes. Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded.

The prosecution had to prove the wireless router was used for storage, processing and transmission of data. That sounds not terribly hard to do (a router is used to store logs and route data, packets are processed and transmitted), but apparently they proved only one or two, not all three. Also, if the law had used the word “or” instead of “and” (storage, processing or transmission of data) the judge might have found a different result. The ruling was appealed.

Ansari is a beautiful poem and song by Tartit, a Tuareg group from Mali.

Hopefully I will find time soon to transcribe and translate it. I thought I would post it in advance of translation because it’s been stuck in my head lately as I read the news about Libya.

I mentioned the Tuareg rebels in 2007. Interviews from 2009 with a Tuareg group called Tinariwen give more insight into their struggle, including time spent training in Libya; it showed up in the Music of Resistance series.