Many industries today are required to record and store customer calls for compliance reasons. Others choose to record calls for training purposes and to improve their customer service. This has resulted in huge banks of ‘legacy’ calls being built up, many of which contain sensitive payment and personal information that needs to be securely protected. Matthew Bryars, CEO of Aeriandi, discusses the issues facing many businesses regarding such recordings and explains what can be done to prevent sensitive data from ending up in the wrong hands.
We are all familiar with the phrase ‘your call may be recorded for training and monitoring purposes’ and most of us have little objection to it. We understand the need for companies to comply with regulations such as the Financial Conduct Authority (FCA) when handling payment transactions, and we know that our calls may be used to train future customer service employees. But do we know, or even stop to consider, how the content of our calls is managed?
Making these considerations could give rise to a number of questions: ‘Where are these legacy calls stored?’ ‘How are they protected?’ ‘Who can access them?’ ‘How long will they be kept?’ Not knowing the answer to these questions can be particularly concerning when you’ve made a payment over the phone and divulged all the information required by a criminal to commit fraud. If legacy calls are not stored securely then these sensitive details will remain at risk until either the recording is destroyed or the payment details expire, long after you’ve forgotten the call ever took place.
PCI DSS – keeping customer data away from prying eyes
The good news is that the implementation of the Payment Card Industry Data Security Standard (PCI DSS) will significantly reduce legacy concerns over time. While it is not a legal requirement for businesses to adhere to PCI DSS, the reputational and monetary risks associated with a customer data security breach are strongly encouraging vendors to ensure compliance is met. The latest version of the standard instructs businesses to:
Refrain from storing authentication data after it has been authorised;
Render all data unrecoverable once the authorisation process is complete.
There are a number of technologies available today which can help businesses to comply with PCI standards, ranging from rudimentary pause/record, through to secure telephone payment platforms that ensure sensitive payment information never enters the call centre in the first place, thus eliminating the legacy issue.
Securing your legacy archive
The bad news is that while the solutions above can solve the compliance issues facing businesses now and in the future, many have already been collecting and storing legacy data for decades, frequently archiving recordings onto tapes or discs. So how can they mitigate this security risk? Locking thousands of tapes in a secure vault is impractical and would make it almost impossible to access the data should it be needed for legitimate business reasons. This would be especially inefficient for public sector bodies that are required to respond to Freedom of Information (FOI) requests within 20 working days and therefore need to have call recordings readily accessible as well as secure.
Data analytics software that can automatically scan and delete sensitive information may be an option in the future, but the technology is not yet reliable enough to make it viable. As such, the best option for many businesses is to implement a secure legacy archiving solution. With this approach, old recordings stored on tapes or discs are digitised, the tapes destroyed, and the digital copies stored in a secure cloud that complies with PCI DSS.
This solution enables businesses to preserve the quality of call recordings, access data quickly and free up the office space that was previously taken up by recording equipment and tapes. Secure legacy archiving can also significantly reduce the compliance burden facing businesses that process card payments, making it quicker and easier for them to keep customer data secure and accessible.
In the not too distant future, the loopholes surrounding phone payment processes and legacy call recordings will be eradicated and increasing compliance with PCI DSS will ensure that secure data storage is standard practice. However, until that time it is necessary for businesses to be alert to the security risks posed by call recordings and ensure they have processes in place to keep their customers’ confidential data secure.