Call centers routinely record calls for quality control and training purposes. In a recent survey by Veritape reported in The Register, 95% of the call centers surveyed were found to be storing credit card data such as the three-digit verification numbers from the back of the cards in recordings of calls. But only 39% of the 133 call center managers interviewed realized that they shouldn’t be doing this. Even worse, only 3% of the 133 (that’s 4 people, by my calculation) actually wiped credit card information from the recordings.
As the PCI Data Security Standard (DSS) says:
Sensitive authentication data must not be stored after authorization (even if encrypted).
PCI DSS Requirements and Security Assessment Procedures, v1.2.1 – July 2009. Footnote 2 on page 5.
It’s easy to concentrate on computer and network security – after all, that’s what we hear about all the time – but it seems that we might have a failure to educate critical staff on security that applies to other areas of business.