Veritape poll: call centres take risks with sensitive card data
Press release
CALL CENTRES ARE TAKING UNNECESSARY RISKS WITH SENSITIVE CREDIT CARD DATA, NATIONAL POLL FINDS
- UK call centres are routinely recording calls and storing credit card data in breach of industry guidelines
- Huge reservoir of card data and rise in hacking incidents is creating unnecessary risk
- Veritape calls for the introduction of a “silent number” standard for call centres
A national poll of UK call centre managers by audio recording specialists Veritape has identified a potential risk to millions of credit card details, including the 3-digit security code. The routine practice of storing unedited audio recordings of calls is creating a vast reservoir of sensitive data on the servers of call centres across the UK in direct breach of global industry standards drawn up by the Payment Card Industry Data Security Council.
The findings in a white paper, The Great Credit Card Gamble, released today to coincide with National Identity Fraud Prevention Week, indicate that more than nineteen in twenty call centres which store recordings of transactional conversations with customers do not delete or mask the credit card details in the recordings.
Clause 3.2.2 of the Payment Card Industry (PCI) Data Security Standard states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.” The standard also states: “sensitive authentication data must not be stored after authorization (even if encrypted)”.
“What we have is a global industry standard that is routinely ignored by call centres throughout the UK,” said Cameron Ross, managing director of Veritape. “The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk. Despite clean desk policies and the use of encryption, successful hacking incidents are rising steadily.”
According to a report by Verizon Business, data breaches due to hacking rose 5% in 2008 and 81% of businesses that had their data stolen were not compliant with PCI Data Security Standards.
Veritape has been privately advised by a source at a leading UK bank that audio data loss has occurred in at least one hacking incident in the last 12 months. The process of data mining digital audio recordings is relatively straightforward.
Of the 133 call centre managers contacted by Veritape in a poll in September 2009, two in five (39%) were aware of industry guidelines that stipulate that call centres must not store credit and debit card information once a transaction is complete. Only 3% of call centres contacted by Veritape were compliant with the guidelines.
The reasons for non-compliance varied. Of all call centres contacted:
- 61% were unaware.
- 18% were aware but said they couldn’t comply for technical or budgetary reasons. Many cited the administrative complexity of safely discarding recorded credit card details due to the inadequacy of their technology and the sheer volume of calls being taken.
- 11% were aware but were ignoring it.
- 6% were aware and were working towards compliance.
- The remaining 3% were compliant.
“This practice ought to send a shiver up the spine of card providers and it is wholly unnecessary,” said Cameron Ross. “Hardware and software interventions are available that automatically delete credit card data from audio recordings.”
Veritape are calling for the industry’s standards body, the PCI Security Standards Council, to implement a silent number standard to which all call centres should comply. In the interim, Veritape is creating a website, www.silentnumber.co.uk, which contains data about the proposed standard and a forum for call centres which do currently mask sensitive credit card data to promote themselves.
— Ends —
About Veritape
Veritape provides software-based call recording services to businesses and not-for-profit organisations through a low-risk rental model, offering a cost-effective, flexible alternative to traditionally expensive fixed hardware solutions.
As well as recording millions of calls each day, Veritape software collects and interrogates data from the conversations within them, acting as a powerful telephone search engine.
Veritape’s software is trusted every day to improve the operations of:
- four of the world’s five largest car manufacturers.
- major UK travel companies.
- finance and insurance companies of all sizes.
- local and regional government, including Regional Trading Standards.
- pharmaceuticals businesses and major suppliers to the NHS.
- outsourced call centres, including the UK’s market leader.
Veritape clients regularly realise a range of concrete business gains, such as up to 30% reduction in staff costs, between 30 to 40% increases in productivity for sales managers, up to 90% reduction in disputed transactions, and significant increases in lead conversions.