News shocker
1. Company says you are all illegal.
2. Company then says "We have the answer!"
3. Profit!
To be fair, I hadn't considered the storage of the voice recording though, so I suppose they have a point.
More than 95% of call centres were found to store customers' credit card details in recordings of phone conversations in breach of industry rules, according to a survey conducted by a call recording technology company. Veritape said that when it talked to 133 call centre managers, only 39% of them knew about industry rules …
It's silly that a single fixed credit card number that is freely handed out everywhere for every transaction and a name, are all that is needed to authorize a transaction.
They should make credit card companies 100% liable for all losses and they'll clean up their act so fast, it will make your head spin.
This 'recording' problem is a side issue, it doesn't really fix the main problem.
The PCI Security Standards Council produced an FAQ in response to the storing of cardholder data in voice recordings. The question being answered was "Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS?".
The answer was that whilst this data would be in-scope for PCI DSS compliance, only some of the controls need apply, and the CVV code could be stored providing it is not done in a way that indexes it and makes it easily retrievable.
It's worth taking a look at the FAQ's on the PCI DSS site to clarify this point.
Call centre managers ?
I'd like to know the management level the surveys were performed at before taking the figures seriously. As someone who works in this industry I know that the people in management on the floor are not necessarily going to know the tech going on behind the scenes in any great detail.
If you mean the guy at the very top of the chain in a centre with PCI certification then I'd certainly hope they would be aware of the regulations involved, as should any IT staff on that site and managers involved with teams running credit card transactions. That does not guarantee that every manager in a particular centre will understand the intricacies of it, especially if their lines of business do not perform credit card transactions.
So make the banks 100% liable for all fraud (unless they can prove "beyond reasonable doubt" that the holder of the card did it, to a judge and jury, at their cost). Then we'll get a proper security scheme where it doesn't matter if the call centre droids have the card numbers etc - they'll be useless to an attacker.
> You havn't met our Call centre managers have you?!
Seriously though, I've spent the last 6 months helping sort PCI compliance out for our company and it's been a nightmare. Some of the controls required by the PCI DSS2 standard are unbelievable, especially around call recordings.
If your in IT Security and you get wind of a 'PCI Project' heading your way do the sensible thing and jump ship prompto.
PCI is only good for PCI QSA Consultants for whom it's more than a nice little earner.
...as the bad publicity is the best way to ensure they comply with the rules quickly. If *everybody* starts asking awkward questions, and RandomVendor Ltd were named, I reckon their customer base would shrink pretty rapidly.
Nothing incentivises senior management like plummeting revenues!