back to article Survey: Call centre data standards 'routinely ignored'

More than 95% of call centres were found to store customers' credit card details in recordings of phone conversations in breach of industry rules, according to a survey conducted by a call recording technology company. Veritape said that when it talked to 133 call centre managers, only 39% of them knew about industry rules …

COMMENTS

This topic is closed for new posts.
  1. Dan 10

    News shocker

    1. Company says you are all illegal.

    2. Company then says "We have the answer!"

    3. Profit!

    To be fair, I hadn't considered the storage of the voice recording though, so I suppose they have a point.

  2. John H Woods Silver badge

    CVV -- what's the point

    I understood the point of the CVV to be to ensure that the card is actually present. And yet all websites require you to say what it is. And all telephone purchases ask you to reveal it. So what is the point, exactly? Just that it's not on the magstripe?

  3. Anonymous Coward
    Anonymous Coward

    Silly

    It's silly that a single fixed credit card number that is freely handed out everywhere for every transaction and a name, are all that is needed to authorize a transaction.

    They should make credit card companies 100% liable for all losses and they'll clean up their act so fast, it will make your head spin.

    This 'recording' problem is a side issue, it doesn't really fix the main problem.

  4. Anonymous Coward
    Alert

    Not necessarily true...

    The PCI Security Standards Council produced an FAQ in response to the storing of cardholder data in voice recordings. The question being answered was "Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS?".

    The answer was that whilst this data would be in-scope for PCI DSS compliance, only some of the controls need apply, and the CVV code could be stored providing it is not done in a way that indexes it and makes it easily retrievable.

    It's worth taking a look at the FAQ's on the PCI DSS site to clarify this point.

  5. Anonymous Coward
    Anonymous Coward

    Please note i record my calls for training and litigious purposes

    I find that when i record my calls to any company inc, they suddenly remember that they have rules they must abide by.

  6. Daniel Snowden
    Alert

    Yet another reason

    I never buy anything from cold callers (or over the phone in general for that matter).

  7. Anonymous Coward
    Anonymous Coward

    In other words...

    ...once we've taken your money, we really couldn't care less who scams you.

    This is what happens when you put "light touch" and "regulation" in the same sentence without being tongue in cheek.

  8. Mark M
    Badgers

    Call me skeptical

    Call centre managers ?

    I'd like to know the management level the surveys were performed at before taking the figures seriously. As someone who works in this industry I know that the people in management on the floor are not necessarily going to know the tech going on behind the scenes in any great detail.

    If you mean the guy at the very top of the chain in a centre with PCI certification then I'd certainly hope they would be aware of the regulations involved, as should any IT staff on that site and managers involved with teams running credit card transactions. That does not guarantee that every manager in a particular centre will understand the intricacies of it, especially if their lines of business do not perform credit card transactions.

  9. Anonymous Coward
    Stop

    Um

    So make the banks 100% liable for all fraud (unless they can prove "beyond reasonable doubt" that the holder of the card did it, to a judge and jury, at their cost). Then we'll get a proper security scheme where it doesn't matter if the call centre droids have the card numbers etc - they'll be useless to an attacker.

  10. Anonymous Coward
    Thumb Down

    @ Mark M

    > You havn't met our Call centre managers have you?!

    Seriously though, I've spent the last 6 months helping sort PCI compliance out for our company and it's been a nightmare. Some of the controls required by the PCI DSS2 standard are unbelievable, especially around call recordings.

    If your in IT Security and you get wind of a 'PCI Project' heading your way do the sensible thing and jump ship prompto.

    PCI is only good for PCI QSA Consultants for whom it's more than a nice little earner.

  11. Anonymous Coward
    Stop

    Stop clawbacks

    Agree with the previous commenters who pointed out the need for the banks to accept the losses which will then result in them investing in decent security systems and procedures for financial transactions using bank and credit cards.

  12. John Smith 19 Gold badge
    Thumb Down

    we can search the recording for the number

    How handy. Perhaps you can cue up a whole list for fraudsters to take down as edited highlights.

    Seriously. Call centres have standards for this sort of thing.

    Who knew?

  13. Matthew 3

    We need someone to name and shame...

    ...as the bad publicity is the best way to ensure they comply with the rules quickly. If *everybody* starts asking awkward questions, and RandomVendor Ltd were named, I reckon their customer base would shrink pretty rapidly.

    Nothing incentivises senior management like plummeting revenues!

This topic is closed for new posts.

Other stories you might like