“This call is being recorded for quality-assurance purposes.” As consumers, we’ve heard it a million times and don’t think much of it. As business owners, it means more than quality control and customer service training assets. It’s also an indicator that you may be storing cardholder data in recorded call logs — and not even realize it.

If your business takes payment over the phone, credit card data is exchanged to complete the transaction. If these calls are recorded and stored for future listening, that credit card information may be sitting in the clear … and vulnerable. It’s not rocket science, but it’s something many business owners unknowingly overlook.

To provide merchants guidance on how to securely process and store card data over the phone, the Payment Card Industry (PCI) Council released guidance on the topic in its March 18 Protecting Telephone-Based Payment Card Data Information Supplement. The main directive? “If you don’t need it, don’t store it,” said Jeremy King, European regional director for the PCI Security Standards Council in a recent interview. Learn more about PCI guidance for call centers.

This is just one example of payment card data that may be “hiding” right under your nose. Do you use an automated voice response system or interactive voice response (IVR) system? If so, those programs are likely storing sensitive card information.  Do you have surveillance systems or security cameras that videotape merchants or employees at your business? Make sure the footage doesn’t include computer or payment terminal footage, which could reveal payment card data. What about excel spreadsheets used to track data? If payment card information is stored there, you’re also subject to PCI regulations.

Carefully examine your business to determine other places where data may be “hiding” so you can take steps to secure it — and your business. You may also want to consider hiring an approved scanning vendor (ASV) who will thoroughly review your systems and can help you identify and rectify vulnerabilities.