Card details being put at risk by call centres
The vast majority of UK call centres are routinely recording calls and storing customer credit card data in breach of industry guidelines, according to a new survey.
A poll of UK call centre managers by audio recording company Veritape found there is a potential risk to millions of credit card details, including the 3-digit security code. The routine practice of storing unedited audio recordings of calls is creating a vast reservoir of sensitive data on the servers of call centres across the UK in direct breach of the global industry standards of the Payment Card Industry (PCI) Data Security Council. Only 3% of call centres were found to be PCI-compliant.
The findings in a white paper, The Great Credit Card Gamble, indicate that over 95% of call centres which store recordings of transactional conversations with customers do not delete or mask the credit card details in the recordings.
Clause 3.2.2 of the PCI Data Security Standard states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.” The standard also states: “sensitive authentication data must not be stored after authorization (even if encrypted)”.
“What we have is a global industry standard that is routinely ignored by call centres throughout the UK,” said Cameron Ross, MD of Veritape. “The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk. Despite clean desk policies and the use of encryption, successful hacking incidents are rising steadily.”
According to a report by Verizon Business, data breaches due to hacking rose 5% in 2008 and 81% of businesses that had their data stolen were not compliant with PCI Data Security Standards.
Veritape says it has been privately advised by a source at a leading UK bank that audio data loss has occurred in at least one hacking incident in the last 12 months. The process of data mining digital audio recordings is relatively straightforward.
Of the 133 call centre managerspolled, two in five (39%) were aware of industry guidelines that stipulate that call centres must not store credit and debit card information once a transaction is complete.
The reasons for non-compliance varied. Of all call centres contacted:
– 61% were unaware.
– 18% were aware but said they couldn’t comply for technical or budgetary reasons. Many cited the administrative complexity of safely discarding recorded credit card details due to the inadequacy of their technology and the sheer volume of calls being taken.
– 11% were aware but were ignoring it.
– 6% were aware and were working towards compliance.
– The remaining 3% were compliant.
“This practice ought to send a shiver up the spine of card providers and it is wholly unnecessary,” said Ross. “Hardware and software interventions are available that automatically delete credit card data from audio recordings.”
Veritape is calling for the industry’s standards body, the PCI Security Standards Council, to implement a silent number standard to which all call centres should comply. In the interim, Veritape is creating a website, www.silentnumber.co.uk, which contains data about the proposed standard and a forum for call centres which do currently mask sensitive credit card data to promote themselves.