Dealing with a difficult data legacy

Customer call recording and storage is now standard practice across a variety of industries, as well as a Financial Conduct Authority (FCA) requirement in many cases. But these ‘legacy’ call recordings regularly contain sensitive payment and personal data that must be (but often isn’t) properly safeguarded.

‘Your call may be recorded for training and monitoring purposes’ is a phrase most of us have heard dozens of times when calling customer service helplines. It’s not surprising. In today’s customer-centric business environment, it makes good sense for companies to ensure the service being delivered is of the highest standard possible. Learning from real life examples is a great way to do just that. Furthermore, for a number of financial services institutions, call recording and storage is not a luxury, but an FCA legal requirement.

However, how much time have we as consumers spent thinking about what happens to that recording once it has been made? The answer is probably no more than a fleeting thought. The question becomes particularly pertinent if a payment is made as part of the call.

Card Not Present (CNP) payments, such as those made over the phone, do not currently require secondary authentication, for example, a PIN number to verify the purchase. This means that when making a phone payment, customers are divulging all of the information required for a third party to use their details for fraudulent activity. If that call is recorded, this fraud risk potentially remains present until either the recording is destroyed, which may not be for many years, or the card details divulged on the call expire. UK payment card details expire every three years. It’s not just card details either; personal information or account passwords could also be captured as part of a call recording, both of which represent risk to the customer if played back by anyone with criminal intent.

PCI DSS: Protecting customer data now and in the future
Recognising this risk to card payment information, the payment card industry (VISA, Mastercard, American Express etc.) constructed the Payment Card Industry Data Security Standard (PCI DSS) for any business that processes card payments. Now in its third iteration, PCI DSS V3 consists of 12 requirements designed to maximise the security of all customer payment card information and minimise the risk of fraud. In the context of phone payments, PCI DSS stipulates:

“Do not store sensitive authentication data after authorisation (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorisation process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data only if: there is a business justification, and the data is stored securely.”

The standard goes on to recommend that where technology exists to help prevent the recording of sensitive data, such technology should be enabled. This could take the form of pause/record solutions to prevent payment data being recorded. However, a far more effective solution is the adoption of a secure telephone payment platform, which ensures sensitive payment data never enters the business in the first place. Instead it is processed off-site by a (PCI DSS compliant) third party, ensuring all PCI obligations related to phone payments are removed from the company itself, barring Requirement 12 – ‘Maintain a policy that addresses information security’.

Adherence to PCI DSS is not a legal requirement. However, the payment card industry has the power to issue severe fines for non-compliance, while reputational damage resulting from a breach could potentially be far more harmful than any monetary fine. As such, more and more merchants are now working closely with their acquiring banks and security specialists to ensure compliance is not only met, but also maintained.

Mitigating the legacy risk
But what about the legacy call data which companies having been acquiring over many years? How can the risk posed by this be mitigated? One solution is to physically lock all archived tape/digital recordings away in a dark vault somewhere. Technically this would help to achieve PCI DSS compliance, however it is far from practical for many.

Not only does FCA requirements dictate that all recordings must be ‘easily accessible’ for six months, but the Freedom of Information act also states that any request received must be answered within 20 working days. As such, any public sector organisation that receives an ill-timed request could quickly come a-cropper if it can’t swiftly access and retrieve legacy calls.. Old tapes will also deteriorate over time, meaning that in just a few years’ time they could be very difficult to play back effectively.

A number of technology vendors are starting to advocate the use of analytics software as an alternative. In theory, this software can scan through legacy recordings and automatically redact sensitive payment information. It’s an interesting concept but in reality this technology is yet to achieve a level of reliability that makes it commercially viable.

A third option is to implement secure legacy archiving. This approach involves the digitisation of any legacy recording tapes or disks to preserve the quality of the recording. The original recordings are then destroyed, while the digital copies are removed and stored in a highly secure, PCI compliant private cloud.

The benefits of this approach include a significant reduction in the compliance burden facing the company, elimination of the need to maintain the quality of legacy recordings and a fully maintained and indexed solution that can be quickly accessed if/when required. Many organisations adopting this approach also find that it frees up valuable office space by allowing them to dispose of archaic and bulky SAN recording equipment that previously housed the data.

The card payment industry is closing in on second tier authentication solutions that will permanently close the security loopholes associated with CNP payments and legacy call recordings. Similarly, standards such as PCI DSS have been put in place to prevent legacy recordings posing a threat in future. However, until these security stars become fully aligned, legacy recording data remains a security issue that businesses should not neglect. Thankfully, today there are many effective ways to deal with the risk it poses in a secure, compliant manner. By tackling the legacy issue proactively, businesses can ensure that sensitive payment card data remains away from prying eyes.