UK retailers are sitting on a mountain of “toxic” payment card recordings – gathered from over a billion phone calls made to call centres before new methods were introduced – which could be ripe pickings for data thieves.
That is the dire warning being issued by security specialist Aeriandi, which claims historical recordings stretching back many years are being stored without adequate protection.
The issue of so-called “toxic legacy data” has been exposed by new rules issued by the Financial Conduct Authority (FCA), which state retailers must retain and protect call recordings in case they are needed during the resolution of complaints or disputes, or for regulatory reasons.
Some companies subject to financial sector regulations have policies to store recordings for up to seven years.
But while new methods can stop payment card data being recorded during calls made today, up to a billion calls – containing tens of millions of card details – are sitting in companies’ data banks.
FCA rules conflict with the industry standard regulations – called PCI DSS – that only permit retailers to store payment card details for a legitimate reason and, if they have to, to protect that data to the PCI standard.
Recent figures from the UK Cards Association show Britons spend almost £500bn on plastic each year, with nearly 10 billion separate card transactions taking place. Of these card transactions, 256 million were made over the telephone in 2012, according to UK Payments Administration.
Aeriandi chief executive Matthew Bryars estimates that while the proportion of recorded calls that contain payment card data will vary, they could easily rise above 50% in contact centres processing large numbers of card transactions.
Bryars said: “We believe up to one billion call recordings containing toxic legacy data now exist in the UK as a subset of the tens of billions of overall call recordings made over the past seven years. While it is fine for most call recordings to be stored in any old storage system, any legacy toxic call recordings must be stored within PCI DSS requirements.”
Bryars cites the example of one household brand, which processes 6 million card payments a year at its contact centres. This company alone was found to hold over 140 million old call recordings, up to a third of which contained payment card details, that had to be shifted into a secure, PCI-compliant database.
He said: “This example is the exception in that it took rapid steps to address the problem. In most cases toxic legacy data is an issue that most retailers either don’t know exists, or have yet to address.”
Bryars said: “Few companies have yet to take any meaningful steps to migrate this toxic data into a secure and compliant data centre which means, for now at least, there is a very juicy new payment card target for opportunistic bad guys to exploit. These merchants have an obligation to wake up to the issue of legacy toxic call recordings, and take urgent steps to deal with it.”
