“We may record your call for training purposes”. Recognise this phrase? You’ve probably heard it dozens of times before but not really given it much thought.
Nowadays, the majority of companies record every customer phone call they receive whether it’s for regulatory, compliance, legal or for customer service purposes. However, if during that call the customer hands over card payment information, that recording will contain all that someone would need to make fraudulent payments, should those details fall into the wrong hands.
So, whilst recording all calls seems to make sense in terms of customer service and is appropriate for regulation and compliance reasons, what many don’t realise is that in doing so, they are steadily building up a large bank of highly sensitive customer payment card information and personal details.
If not stored safely and securely, these details can pose a significant fraud and additional compliance risk to the company. Yet despite the financial and reputational damage that a data breach could do to a company, many are still failing to adopt practices that can mitigate the risks posed by legacy call data.
Compliance, regulation and good customer service are all important and crucial aspects of business and companies should make sure the service they offer is of the best quality possible. What’s more, is that often for financial services institutions, recording and saving telephone conversations with customers is not a choice, but a Financial Conduct Authority (FCA) requirement.
However, how much time have we, as consumers, spent thinking about what happens to that recording once it has been made? The answer is probably no more than a fleeting thought. In fact in a recent survey conducted by elitele.com it was revealed that 97 per cent of UK consumers don’t know what happens to sensitive information they give to call centre operatives over the phone. When asked to describe what happens, over a third (36 per cent) stated they had no idea and almost two thirds (61 per cent) incorrectly identified what information operatives have access to and how it is stored.
These findings are particularly concerning if a transaction is processed as part of the call. Card Not Present (CNP) payments, like telephone purchases, need no secondary authentication in the same way you’d pop in your pin number at a cash register. This means that when making a phone payment, customers are handing over all of the information needed for someone else to use and abuse their financial details. During a telephone transaction, financial data, personal information and often account passwords are captured. If that call is recorded, the risk of fraud can remain until the card expires years later.
Securing customer data – Payment card regulations
Some time ago, key members of the payment card industry recognised that there was a risk to customer data and got together to agree the Payment Card Industry Data Security Standard (PCI DSS). It applies to any business that processes card payments. It’s important to state though that PCI DSS is a standard, not a legal requirement.
Now in its third iteration, PCI DSS V3 consists of 12 requirements designed to maximise the security of all customer payment card information and minimise the risk of fraud. In the context of phone payments, PCI DSS stipulates:
“Do not store sensitive authentication data after authorisation (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorisation process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data only if:
- There is a business justification and
- The data is stored securely”
The standard goes on to recommend that where technology exists to help prevent the recording of sensitive data, such technology should be enabled. This could take the form of pause/record solutions to prevent payment data being recorded, or it could be a more effective solution called a secure telephone payment platform to ensure sensitive payment data never enters the business in the first place. Instead the data is processed off-site by a (PCI DSS compliant) third party, ensuring all PCI obligations related to phone payments are removed from the company itself, barring Requirement 12 – ‘Maintain a policy that addresses information security’.
The payment card industry has the power to issue severe fines for non-compliance, while reputational damage resulting from a breach could potentially be far more harmful than any monetary fine. As such, more and more merchants are now working closely with their acquiring banks and security specialists to ensure compliance is not only met, but also maintained.
How to migate the risk of legacy data
So, that’s all well and good, except, what about the years of legacy call data that businesses have been recording and storing up over time? How can businesses mitigate the risk posed by years of legacy data?
One solution is to take all archived tape/digital recordings away and bury them somewhere that won’t be discovered for many years to come. At the back of the server room is often a favourite we see over and over again. However, it’s not a failsafe approach.
Locking the data in a secure vault is another option. Technically this would help to achieve PCI DSS compliance, however it is just not practical for most. Not only do FCA requirements dictate that all recordings must be ‘easily accessible’ for six months, but the Freedom of Information act also states that any request received must be answered within 20 working days. As such, any public sector organisation that receives an ill-timed request could fall foul if it can’t access and retrieve legacy calls at ease. Old tapes also deteriorate over time, meaning that in just a few years’ time they could be very difficult to play back effectively.
Various technology vendors are beginning to advocate the use of analytics software as an alternative now. The theory is that this software can scan through legacy recordings and automatically redact sensitive payment information. It’s an interesting concept but in reality this technology is yet to achieve a level of reliability that makes it commercially viable.
A third option is to implement secure legacy archiving. This approach involves the digitisation of any legacy recording tapes or disks to preserve the quality of the recording. The original recordings are then destroyed, while the digital copies are removed and stored in a highly secure, PCI compliant private cloud. The benefits of this approach include a significant reduction in the compliance burden facing the company, elimination of the need to maintain the quality of legacy recordings and a fully maintained and indexed solution that can be quickly accessed if/when required. Many organisations adopting this approach also find that it frees up valuable office space by allowing them to dispose of archaic and bulky storage area network (SAN) recording equipment that previously housed the data.
The big players in the card payment industry have second tier authentication solutions firmly in their sights. Once this happens, in the same way that Chip and Pin has become widespread in the last ten years, it will permanently close the security loopholes associated with CNP payments and legacy call recordings. However, we have no technology or timescales for this at the moment. It is all a ‘work in progress’.
Whilst standards such as PCI DSS have been put in place to stop today’s CNP calls becoming legacy recordings which pose a threat in future, it’s still too little too late. Legacy recording data is and will remain a security issue unless it is dealt with in a secure and compliant way.
By proactively asking yourself ‘What’s Your Legacy’ and finding out where there are weaknesses in security, you’ll ensure that sensitive payment card data is only seen or heard by those authorised to do so.
Matthew Bryars, CEO of Aeriandi