More than a billion ‘toxic legacy calls’ breach PCI rules

28 June 2013
By Edd Gent
Mobile version
Share |
More than a billion call recordings of payment card details held by UK firms are in breach of regulations

More than a billion call recordings of payment card details held by UK firms are in breach of regulations

More than a billion “toxic legacy call recordings” containing card details are putting UK firms at risk of massive fines.

Thousands of UK merchants are still holding phone calls containing customers’ card details in environments that fail to comply with Payment Card Industry Data Security Standards (PCI DSS) according to Matthew Bryars, CEO of IT outsourcing company Aeriandi, who will speak on the topic at the PCI London conference on Tuesday.

Falling foul of PCI DSS due to non-compliance or compromised payment card details includes fines of up to $500,000 per breach on top of the potential damage to an organisation’s brand reputation.

And with many firms keeping recordings in older, less secure data centres Bryars says cyber-criminals could easily use speech analytics software available on the internet to access, download and sell these card details on the black market.

“These applications could allow you to mine the data,” he says. “They are not hugely accurate but you only need an accuracy of 10 or 20 per cent to get a huge amount of credit card details out of a relatively small pot of data.”

The issue of toxic legacy data is the result of Financial Conduct Authority (FCA) requirements to retain call recordings in case they are needed during the resolution of complaints or disputes or for regulatory reasons, with some companies storing recordings for up to seven years.

But the FCA rules conflict with the PCI DSS regulations that only permit merchants to store payment card details for a legitimate reason and, if they have to, to protect that data to the PCI standard.

Though new methods like “pause resume” recording and the use of touch tones can now stop payment card data being recorded, many historical calls recordings fall foul of the PCI regulations.

“There are still businesses recording this data,” says Bryars. “Organisations are becoming compliant going forward so they are not recording card details on phone calls, which is great. But they are not looking back at the huge volume of calls they’ve got stored.”

Figures from the UK Payments Administration show 256 million card transactions were made over the telephone in the UK in 2012 and Bryars has estimated that up to one billion call recordings containing toxic legacy data now exist in the UK.

“What we are hoping to do is open people’s eyes to the awful lot of credit card data held in these recordings on site,” says Bryars, whose firm specialises in PCI-DSS compliance.

“Over the past 24 months I’ve met with many public and private sector organisations that take payment card data over the phone and, without exception, they all recognise that they have inherited a major toxic legacy call recording problem.

“However, few have yet to take any meaningful steps to migrate this toxic data into a secure and compliant data centre which means, for now at least, there is a very juicy new payment card target for opportunistic bad guys to exploit.

“These merchants have an obligation to wake up to the issue of legacy toxic call recordings, and take urgent steps to deal with it.”

Latest Issue

E&T cover image 1605

"We visit Barcelona, one of the smartest cities in the world, to find out what makes it so special. What does it look like and what is the future?"

E&T jobs

  • Smart Grid Research Engineer

    Premium job

    University of Strathclyde
    • Cumbernauld, Glasgow
    • Grade: 6/7* £26,537 - £37,768*

    Work as part of a growing dynamic team on a wide range of technical projects with particular emphasis on experimental validation and testing

    • Recruiter: University of Strathclyde

    Apply for this job

  • Electrical Asset Specialist

    Affinity Water
    • Hatfield, Hertfordshire

    Responsible for updating and writing electrical engineering standards, approved codes of practice and safe systems of work

    • Recruiter: Affinity Water

    Apply for this job

  • Senior Electronics Engineer

    York Instruments
    • York, North Yorkshire

    Senior electronics engineer to work as part of a team developing an MEG imaging system; working with the engineering team and external contractors.

    • Recruiter: York Instruments

    Apply for this job

  • Senior Development Engineer, Electronics

    Premium job

    Helmet Integrated Systems / Gentex Corporation
    • Letchworth Garden City, Hertfordshire
    • Competitive

    We are innovative, robust and fast growing business, whose main focus is to deliver continues improvement to existing products and offer new soluti...

    • Recruiter: Helmet Integrated Systems / Gentex Corporation

    Apply for this job

  • Manufacturing Engineer - Circuit Card Assembly

    • Lostock Junction
    • Competitive Salary & Benefits

    What’s the opportunity?   Manufacturing UK is an integral part of the Operations Directorate whose principal mission is to ensure that MBDA’s deliverable commitments are met...

    • Recruiter: MBDA

    Apply for this job

  • High Voltage Engineer

    Premium job

    Essex X-Ray & Medical Equipment
    • Great Dunmow, Essex

    This High Voltage Engineer will provide design leadership for high voltage cable assemblies up to one megavolt.

    • Recruiter: Essex X-Ray & Medical Equipment

    Apply for this job

  • Team Leader - Flank Arrays

    BAE Systems
    • Barrow-In-Furness, Cumbria, England
    • Negotiable

    Team Leader - Flank Arrays Would you like to work in a unique role within the construction of the Astute Class submarines? We currently have a vacancy for a Team Leader - Flank Arrays at our site in Barrow-in-Furness. As a Team Leader - Flank Arrays, you

    • Recruiter: BAE Systems

    Apply for this job

  • Electronics and Software Engineer

    Copley Scientific Ltd
    • Nottingham
    • circa £35,000 per annum + bonus

    Develop new test equipment for the pharmaceutical industry. Good opportunities to grow and develop. Successful family-owned and managed business.

    • Recruiter: Copley Scientific Ltd

    Apply for this job

  • Bridge Test Facility Manager

    BAE Systems
    • Shropshire, Telford, England
    • Negotiable

    Bridge Test Facility ManagerWe currently have a vacancy for a Bridge Test Facility Manager at our site in Telford with our Land UK business.As the Bridge Test Facility Manager, you will be part of our Test & Trials team, working closely with the Mili

    • Recruiter: BAE Systems

    Apply for this job

  • Maintenance Electrician – Water Utilities

    United Utilities
    • Workington, Cumbria
    • Competitive salary + bonus & great benefits       

    A wide-ranging Maintenance Electrician role with United Utilities, serving millions in the North West.

    • Recruiter: United Utilities

    Apply for this job

More jobs ▶


Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T