Call centres are putting shoppers at risk of fraud by failing to keep their credit or debit card details secure, an investigation has revealed.
Although the Payment Card Industry Data Security Standards sets down that companies taking payments over the telephone must not store sensitive information such as three-digit codes, it has been claimed that as many as 97% of call centres are breaking these rules.
The investigation, carried out by security firm Veritape, found that call centres used by retailers are not only breaking the rules, but many are not even aware that rules are in place.
Although call centres are allowed to record telephone calls for security and training, they are obliged not to store “sensitive authentication data […] after authorisation even if encrypted”.
This information includes three or four-digit number on the front or back of payment cards. Fraudsters can use these sensitive details to clone the card and someone’s identity.
“What we have is a global industry standard that is routinely ignored by call centres throughout the UK,” says Cameron Ross, managing director of Veritape.
His firm’s research found that 61% of call centres were unaware of the rules, while 18% were aware but didn’t comply because of technical or financial reasons. Just 3% of firms surveyed complied with the rules.
Ross says that millions of people have been left at risk of fraud because of the blunders. Already, conmen appears to be successfully targeting business to steal sensitive date.
Verizon Business, Veritape’s sister company, reports that 81% of businesses that had their data stolen in 2008 were not compliant with security standards.