March 18, 2011

The PCI Security Standards Council has come out with recommendations for how to protect credit card information given over the phone in a call center.

Why focus on card data transmitted by phone now? According to Jeremy King, European director of the Security Council, call centers are a prime target for credit card theft. "We've seen the card-not-present space is one of those fraud areas that's growing," he says. "The criminals are targeting this because they can use some of the data they obtain through other measures in the card not present space." The Council's board of advisors and particular BarclayCard helped put the guidance together.

One key takeaway for bank call centers: "If you don't need it, don't store it," King says. Certain data, such as CVC codes, should never be stored. Sometimes banks face a conflict between needing to record conversations with cardholders for quality purposes and complying with PCI data security standards that demand cardholder data be secure at all times. Call recording technology exists that can automatically block sensitive cardholder data from being recorded as it's being spoken or entered, King says. [We found one company, VPI, that says it uses analytics to identify sensitive authentication and account information and delete that information from the recording.]

Asked about standards for protecting mobile payment data -- a hot topic as Visa, MasterCard, PayPal, mobile carriers, Apple, Google and others push to get their versions of mobile payment technology accepted in the market -- King says the PCI Council is looking at these new technologies carefully. But the technology proposals change all the time and mobile payment pilots come and go.

"Call centers are an area we know criminals are targeting," King says.

ABOUT THE AUTHOR