emPower

Call Centers Not Erasing Credit Card Data from Audio Recordings

creditcards2Call centers routinely record calls for quality control and training purposes. In a recent survey by Veritape reported in The Register, 95% of the call centers surveyed were found to be storing credit card data such as the three-digit verification numbers from the back of the cards in recordings of calls. But only 39% of the 133 call center managers interviewed realized that they shouldn’t be doing this. Even worse, only 3% of the 133 (that’s 4 people, by my calculation) actually wiped credit card information from the recordings.

As the PCI Data Security Standard (DSS) says:

Sensitive authentication data must not be stored after authorization (even if encrypted).

PCI DSS Requirements and Security Assessment Procedures, v1.2.1 – July 2009. Footnote 2 on page 5.

It’s easy to concentrate on computer and network security – after all, that’s what we hear about all the time – but it seems that we might have a failure to educate critical staff on security that applies to other areas of business.

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.