Sloppy call centre practice exposes customer data to fraud riskby
Sloppy call centre practices are putting customer data at serious risk of idenity theft as over 95% of call centres are found to be breaking the rules for storing credit card details.
According to a new survey from call recording company Veritape, only 39% of call centre managers know the rules such as those drawn up by the Payment Card Industry (PCI) Data Security Council which cover how to store customer information once a call has been recorded.
Only a handful – 3% - of survey respondent bother to wipe credit card numbers from recordings of phone calls. Of the remaning 97%, 18% said it was just too costly for them to bother while 11% were clearly aware of the issue, but said they were choosing to ignore it. Only 6% claimed to be trying to put their house in order while 61% plead ignorance of the rules.
What this means is that sitting on call centre servers throughout the UK are millions upon milions of pieces of sensitive data that a savvy hacker could make malicious use of to steal customers identities and commit fraud.
According to the UK Fraud Prevention Service CIFAS, at least 60,000 UK residents have fallen victim to ID fraud so far this year, a 36% increase year on year. Verizon Business, Veritape’s sister company, reports that 81% of businesses that had their data stolen in 2008 were not compliant with security standards.
A huge reservoir of sensitive information
Call centres are not supposed to keep recordings of people revealing the three-digit security numbers on the backs of their cards. If fraudsters obtain these, they have all the information they need to use the cards.
Rules from PCI Data Security Standard require companies to erase the parts of these recordings once the transaction is complete. Specifically clause 3.2.2 of the PCI Data Security Standard states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.”
The standard also states: “Sensitive authentication data must not be stored after authorisation (even if encrypted).” But this regulation is being ignored willfully in many cases.
"What we have is a global industry standard that is routinely ignored by call centres throughout the UK," said Cameron Ross, managing director of Veritape. "The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk. Despite clean desk policies and the use of encryption, successful hacking incidents are rising steadily. This practice ought to send a shiver up the spine of card providers and it is wholly unnecessary.”
Of the 131 firms surveyed, one guilty party was a bank which was not compliant with the rules. This revelation follows an investigation by The Times newspaper which uncovered bad practice from call centres at banks such as Lloyds and HSBC, where staff often phone customers with unexplained requests for personal information.
The Banking Code warns: “Never give your account details or other security information to anyone unless you know who they are and why they need them.” If a customer discloses such information, they will probably be held liable for any fraudulent transactions on their account. But The Times found many cases of banks call centres phoning up out of the blue and demanding information as a security check prior to verifying suspicious transactions and the like.