Two-thirds of call centres put sensitive data at risk

Sensitive data is being put at risk in two out of three UK call centres because of a lack of awareness of data security standards. In a survey carried out by audio recording specialists Veritape among 133 call centre managers, 61 per cent said they were unaware of the stipulations of the Payment Card Industry Data Security Standard covering credit card numbers and security codes.

Clause 3.2.2 of the PCI DSS states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.”  The standard also states:“Sensitive authentication data must not be stored after authorisation (even if encrypted)”.

Yet this information is being widely retained, typically in the recordings of calls during which numbers and security codes are requested from callers. In 19 out of 20 call centres surveyed by Veritape for a white paper, “The Great Credit Card Gamble”, transactional recordings do not delete or mask these details.

“What we have is a global industry standard that is routinely ignored by call centres throughout the UK,” says Cameron Ross, managing director of Veritape.  “The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk. Despite clean desk policies and the use of encryption, successful hacking incidents are rising steadily.”

In addition to a lack of awareness, 18 per cent of call centre managers said they were aware of the standard, but couldn’t comply because of technical or budgetary reasons. These included the administrative complexity of safely discarding recorded credit card details. Another 11 per cent were aware of PCI DSS but were ignoring it. Only 6 per cent were both aware of the standard and working towards compliance, while just 3 per cent were fully compliant.