More than 95% of call centres were found to store customers' credit card details in recordings of phone conversations in breach of industry rules, according to a survey conducted by a call recording technology company. Veritape said that when it talked to 133 call centre managers, only 39% of them knew about industry rules …
1. Company says you are all illegal.
2. Company then says "We have the answer!"
To be fair, I hadn't considered the storage of the voice recording though, so I suppose they have a point.
CVV -- what's the point
I understood the point of the CVV to be to ensure that the card is actually present. And yet all websites require you to say what it is. And all telephone purchases ask you to reveal it. So what is the point, exactly? Just that it's not on the magstripe?
It's silly that a single fixed credit card number that is freely handed out everywhere for every transaction and a name, are all that is needed to authorize a transaction.
They should make credit card companies 100% liable for all losses and they'll clean up their act so fast, it will make your head spin.
This 'recording' problem is a side issue, it doesn't really fix the main problem.
Not necessarily true...
The PCI Security Standards Council produced an FAQ in response to the storing of cardholder data in voice recordings. The question being answered was "Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of the PCI DSS?".
The answer was that whilst this data would be in-scope for PCI DSS compliance, only some of the controls need apply, and the CVV code could be stored providing it is not done in a way that indexes it and makes it easily retrievable.
It's worth taking a look at the FAQ's on the PCI DSS site to clarify this point.
Please note i record my calls for training and litigious purposes
I find that when i record my calls to any company inc, they suddenly remember that they have rules they must abide by.
Yet another reason
I never buy anything from cold callers (or over the phone in general for that matter).
In other words...
...once we've taken your money, we really couldn't care less who scams you.
This is what happens when you put "light touch" and "regulation" in the same sentence without being tongue in cheek.
Call me skeptical
Call centre managers ?
I'd like to know the management level the surveys were performed at before taking the figures seriously. As someone who works in this industry I know that the people in management on the floor are not necessarily going to know the tech going on behind the scenes in any great detail.
If you mean the guy at the very top of the chain in a centre with PCI certification then I'd certainly hope they would be aware of the regulations involved, as should any IT staff on that site and managers involved with teams running credit card transactions. That does not guarantee that every manager in a particular centre will understand the intricacies of it, especially if their lines of business do not perform credit card transactions.
So make the banks 100% liable for all fraud (unless they can prove "beyond reasonable doubt" that the holder of the card did it, to a judge and jury, at their cost). Then we'll get a proper security scheme where it doesn't matter if the call centre droids have the card numbers etc - they'll be useless to an attacker.
@ Mark M
> You havn't met our Call centre managers have you?!
Seriously though, I've spent the last 6 months helping sort PCI compliance out for our company and it's been a nightmare. Some of the controls required by the PCI DSS2 standard are unbelievable, especially around call recordings.
If your in IT Security and you get wind of a 'PCI Project' heading your way do the sensible thing and jump ship prompto.
PCI is only good for PCI QSA Consultants for whom it's more than a nice little earner.
Agree with the previous commenters who pointed out the need for the banks to accept the losses which will then result in them investing in decent security systems and procedures for financial transactions using bank and credit cards.
we can search the recording for the number
How handy. Perhaps you can cue up a whole list for fraudsters to take down as edited highlights.
Seriously. Call centres have standards for this sort of thing.
We need someone to name and shame...
...as the bad publicity is the best way to ensure they comply with the rules quickly. If *everybody* starts asking awkward questions, and RandomVendor Ltd were named, I reckon their customer base would shrink pretty rapidly.
Nothing incentivises senior management like plummeting revenues!