The Payment Card Industry (consisting of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) established the PCI Security Standards Council (PCI SCC) in 2006 in order to create a set of rules for merchants and service providers that accept credit and debit card payments that would minimize payment card data loss (whether malicious or otherwise). It followed this with the Data Security Standard (PCI DSS), which details the security requirements for anyone processing, storing or transmitting cardholder data.
What this means is that if your organization accepts credit or debit cards, it must do so in accordance with the latest standards. And while compliance isn’t a legal requirement, merchants and service providers that don’t comply are in breach or their contract and could have their card acceptance privileges terminated, resulting in likely business losses.
Simply put, according to PCI-DSS, no cardholder data (cardholder name, expiration date, PAN, etc.) should ever be stored unless it’s necessary to meet the needs of your business, and no sensitive authentication data (SAD), which includes card validation codes (CVV2, CVC2, CID, or CAV2), personal identification numbers and/or full magnetic stripe data, may be stored in a digital, audio or video format (such as WAV or MP3) after authorization, even if encrypted.
Fortunately, Oreka TR will pause both screen and audio via API or web user interface while credit card numbers are being received over the phone. This way, no numbers are stored anywhere on the recording system.
For more information, please visit here.
Resource: PCI FAQs and Myths