More than a billion old call recordings containing millions of payment card details are being stored by thousands of UK merchants in environments that fail to comply with Payment Card Industry Data Security Standards (PCI DSS), experts have revealed.
These recordings, referred to as toxic legacy call recordings, affect large UK merchants ranging from household retail brands to local government authorities.
Thanks to insufficient data security protocols, these card details can be accessed, downloaded and sold on the black market, security experts claimed at the PCI London conference on July 2, 2013.
The consequences for Level 1 and Level 2 merchants falling foul of PCI-DSS due to non-compliance or compromised payment card details includes fines of up to £500,000 per breach. In addition, perhaps most costly of all, is the huge potential damage to an organisation’s brand itself.
The issue of toxic legacy data has come about because many organisations are required by the Financial Conduct Authority (FCA) to retain and protect call recordings in case they are needed during the resolution of complaints or disputes, or for regulatory reasons. Some companies subject to financial sector regulations have policies to store recordings for up to seven years.
However, FCA rules conflicts with PCI DSS regulations that only permit merchants to store payment card details for a legitimate reason and, if they have to, to protect that data to the PCI standard. Although new methods can stop payment card data being recorded during calls made today, historical calls recordings stretching back many years do contain payment card data, and these recordings foul of the PCI regulations.
Recent figures from the UK Cards Association show Britons spend almost half a trillion pounds on plastic each year, with nearly 10 billion separate card transactions taking place. Of these card transactions, 256 million were made over the telephone in 2012 according to UK Payments Administration.
Matthew Bryars, CEO of card security software specialists, Aeriandi, estimated that while the proportion of recorded calls that contain payment card data will vary, they could easily rise above 50% in contact centres processing large numbers of card not present (CNP) transactions.
Bryars explained: "We believe up to one billion call recordings containing toxic legacy data now exist in the UK as a subset of the tens of billions of overall call recordings made over the past seven years. While it’s fine for most call recordings to be stored in any old storage system, any legacy toxic call recordings must be stored within PCI DSS requirements."
Bryars cited the example of a tier one merchant, a household brand, that processes six million card payments at its contact centres each year. This company alone was found to hold more than 140 million old call recordings, up to a third of which contained payment card details, that had to be shifted into a secure, PCI-compliant repository.
He said: "This example is the exception in that it took rapid steps to address the problem. In most cases toxic legacy data is an issue that most business leaders either don’t know exists, or have yet to address."
Payment card data stolen from call recordings is most likely to be used for CNP fraud, which cost UK merchants £220.9 million in 2011. CNP has become the largest segment of card fraud, accounting for 65% of all card losses according to the Financial Fraud Action (FFA UK).
Bryars concluded: "Over the past 24 months I’ve met with many public and private sector organisations that take payment card data over the phone and – without exception – they all recognise that they have inherited a major toxic legacy call recording problem.
"However, few have yet to take any meaningful steps to migrate this toxic data into a secure and compliant data centre which means, for now at least, there is a very juicy new payment card target for opportunistic bad guys to exploit. These merchants have an obligation to wake up to the issue of legacy toxic call recordings, and take urgent steps to deal with it."