Over a billion call recordings containing payment card details put UK retailers at risk of breaching PCI DSS regulations
These recordings, referred to as toxic legacy call recordings, affect large UK merchants ranging from household retail brands to local government authorities.
Thanks to insufficient data security protocols, these card details can be accessed, downloaded and sold on the black market – claimed security experts at the PCI London conference today
The consequences for Level 1 and Level 2 merchants falling foul of PCI DSS due to non-compliance or compromised payment card details includes fines of up to £500,000 per breach. In addition, perhaps most costly of all, is the huge potential damage to a retailer’s brand itself.
Caught between regulations
The issue of toxic legacy data has come about because many retailers are required by the Financial Conduct Authority
(FCA) to retain and protect call recordings in case they are needed during the resolution of complaints or disputes, or for regulatory reasons. Some companies subject to financial sector regulations have policies to store recordings for up to seven years.
However, FCA rules conflicts with PCI DSS regulations that only permit retailers to store payment card details for a legitimate reason and, if they have to, to protect that data to the PCI standard. Although new methods can stop payment card data being recorded during calls made today, historical calls recordings stretching back many years do contain payment card data, and these recordings foul of the PCI regulations.
Recent figures from the UK Cards Association
show Britons spend almost half a trillion pounds on plastic each year, with nearly 10 billion separate card transactions taking place. Of these card transactions, 256 million were made over the telephone in 2012 according to UK Payments Administration.
Card not present pitfalls
Matthew Bryars, chief executive of card security software specialist Aeriandi
, estimates that while the proportion of recorded calls that contain payment card data will vary, they could easily rise above 50% in contact centres processing large numbers of card not present (CNP) transactions.
Bryars said: “We believe up to one billion call recordings containing toxic legacy data now exist in the UK as a subset of the tens of billions of overall call recordings made over the past seven years. While it’s fine for most call recordings to be stored in any old storage system, any legacy toxic call recordings must be stored within PCI DSS requirements.”
Bryars cited the example of a tier one merchant, a household brand, that processes six million card payments at its contact centres each year. This company alone was found to hold over 140 million old call recordings, up to a third of which contained payment card details, that had to be shifted into a secure, PCI-compliant repository.
He said: “This example is the exception in that it took rapid steps to address the problem. In most cases toxic legacy data is an issue that most retailers either don't know exists, or have yet to address.”
Issuing call to action
Payment card data stolen from call recordings is most likely to be used for CNP fraud, which cost UK merchants £220.9 million in 2011. CNP has become the largest segment of card fraud, accounting for 65% of all card losses according to the Financial Fraud Action
Bryars concluded: “Over the past 24 months I’ve met with many public and private sector organisations that take payment card data over the phone and – without exception – they all recognise that they have inherited a major toxic legacy call recording problem.
"However few have yet to take any meaningful steps to migrate this toxic data into a secure and compliant data centre which means, for now at least, there is a very juicy new payment card target for opportunistic bad guys to exploit. These merchants have an obligation to wake up to the issue of legacy toxic call recordings, and take urgent steps to deal with it.”