Call Centers Violate PCI Standards
U.K. call centers are taking unnecessary risks with customers’ credit card information when recording and storing calls, according to new research from Veritape, a call recording software provider based in the United Kingdom.
The research, which involved a national poll of U.K. call center managers in September, found more than 19 in 20 call centers do not delete or mask credit card details in their call recordings, which is in direct violation of the Payment Card Industry Data Security Standard (PCI DSS). Of the 133 call center managers contacted by Veritape for the survey, only 3 percent are in compliance with the guidelines. The result, according to Veritape, is that 285 million credit or debit card transactions across the U.K. were put at risk last year.
“What we have is a global industry standard that is routinely ignored by call centers throughout the U.K.,” said Cameron Ross, managing director of Veritape, in a statement. “The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk.”
Clause 3.2.2 of the PCI DSS states that if companies record telephone conversations during which a customer’s credit card details are taken, the card numbers and security codes are not allowed to be included in the recording. The standard also states that sensitive authentication data must not be stored after authorization, even if it is encrypted.
That is just one aspect of the PCI DSS, a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures intended to help organizations proactively protect customer account data.
The prevalence of violations “ought to send a shiver up the spine of card providers, and it is wholly unnecessary,” Ross said. “Hardware and software interventions are available that automatically delete credit card data from audio recordings.”
Among the reasons for failing to abide by PCI DSS, 61 percent of managers said they were unaware of the standards, 18 percent were aware but said they couldn’t comply for technical or budgetary reasons, 11 percent were aware but chose not to follow them, and 6 percent were aware and were working toward compliance.
What’s even scarier: According to the PCI Security Standards Council (PCI SSC), the problem goes far beyond the U.K. It’s a worldwide problem.
Bob Russo, general manager of the PCI SSC, notes that the council does not have access to forensic evidence regarding the size of the problem, but cited Verizon’s “2009 Data Breach Investigations Report,” which found breached organizations had only an 11 percent compliance level for PCI’s requirements for protecting cardholder data. The report further stated that only 5 percent of companies complied with PCI requirements for tracking and monitoring access to network resources and cardholder data.
“One of the first things the council suggests is that if you don’t need it, don’t store it,” Russo wrote in an email.
The council, he further notes, keeps a list of approved payment applications on its Web site at www.pcisecuritystandards.org/security_standards/vpa. But in the end, “the conclusion here is that data security is not all about prevention; it also requires detection and monitoring,” Russo warns.