Dealing with a Difficult Data Legacy
Many industries now record and store call recordings as part of their standard practice, and some are even required to do so by the Financial Conduct Authority (FCA). While customers may be aware that this is happening, they are still largely in the dark about what happens to their personal information once it has been recorded. According to Matthew Bryars, CEO of Aeriandi, many companies are not doing enough to keep these ‘legacy’ call recordings secure.
Recording customer calls is a great way for businesses to train staff, improve their customer service and also comply with legal requirements such as the FCA Code of Conduct. Most of us therefore don’t bat an eyelid when we are told that our call ‘may be recorded for training and monitoring purposes’. However, if these call recordings are not sufficiently protected, customers could be put at risk of fraud and identity theft.
At present, a secondary authentication (like a PIN number) is not required to make Card Not Present (CNP) payments, such as those made over the phone. Therefore, when recording customer calls, a business is recording and storing information that, if in the wrong hands, could be used to make fraudulent payments. This risk remains present as long as the call recording or card details exist. It’s not only card details that are at risk either, but also personal information and account passwords which are attractive to criminals looking to commit fraud.
PCI DSS – securing customer data
The card payment industry (VISA, Mastercard, American Express etc.) have recognised this threat and responded by creating the Payment Card Industry Data Security Standard (PCI DSS) for all businesses that process card payments. The latest version, PCI DSS V3, consists of 12 requirements designed to protect customer information from fraud and other security risks. Regarding phone payments, PCI DSS stipulates that companies should erase or render unrecoverable all sensitive authentication data once the authorisation process has been completed, unless there is a strong business case for storing the data (in which case, it must be stored securely).
PCI DSS advises businesses to use technology where possible to help prevent the recording of sensitive data, such as pause/record solutions. It is more effective, however, for businesses to adopt a solution that ensures sensitive payment data does not enter the business in the first place. This can be achieved by having all payments processed off-site by a PCI DSS compliant service provider, transferring the PCI obligations related to phone payments from the business to the third party provider. When phone payments are processed off-site, however, it remains the responsibility of the business to ‘maintain a policy that addresses information security’, as outlined in Requirement 12 of PCI DSS.
While it is not a legal requirement to adhere to PCI DSS, the payment card industry can issue hefty fines to those who do not comply. More significantly, the reputational damage that can result from a data breach makes it advisable for companies to comply with this payment standard.
Reduce the risk of storing sensitive legacy data
These solutions address the security risks of future phone payments, but what about those huge stacks of dusty tape recordings that hold thousands of customers’ sensitive information? How can the same level of protection be applied to them? The need to access this data quickly to comply with FCA requirements, or in the case of an FOI request where public sector organisations are obligated to respond within 20 working days, means locking these tapes away is impractical. Also, storing legacy recordings on tapes becomes even more problematic as they begin to deteriorate. This can happen in just a few years, making them very difficult to play back effectively.
One alternative that some technology vendors are suggesting is the use of analytics software. This software can scan through call recordings and automatically redact sensitive payment information. It’s a great concept but the technology is not currently reliable enough to make it a viable option for businesses. A more practical and reliable option is to implement secure legacy archiving. By digitising the legacy recordings stored on tapes or discs the quality of the recoding can be preserved and the original recordings destroyed. The digital copies can then be moved to a highly secure, PCI compliant private cloud.
The benefits of this solution include :
- Reduction in the compliance burden facing the company
- Elimination of the need to maintain the quality of legacy call recordings
- Removal of the need for a maintained and indexed solution that allows quick access to the data
- Freeing up of valuable office space previously dominated by recording equipment and mountains of tapes.
In the near future, second tier authentication solutions for CNP payments will be just as familiar as the phrase, ‘your call may be recorded for training and monitoring purposes’. This will eradicate the security loopholes surrounding phone payments and prevent legacy call recordings posing a threat to customers’ data security. Until then, however, legacy data remains a security issue that businesses must address, using a secure and compliant payment solution.[su_box title=”About Matthew Bryars” style=”noise” box_color=”#336588″]Matthew Bryars, CEO at Aeriandi, Shortly after completing a Masters degree in physics from University College London, Matthew was one of the first to see the potential for highly secure, cloud-based business services – and promptly co-founded Aeriandi. Matthew quickly applied his problem solving skills to the business world and has been responsible for building the company from a start-up to a well renowned business – running services for some of the world’s largest banks and contact centres.
Although the business has grown substantially, Matthew still takes a hands-on approach and remains actively involved in the development process, getting most fulfilment from delivery of high quality, relevant solutions based on the company’s hosted multi-channel platform.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.