Banks and merchants are evaluating encryption technology that could ensure that audio recordings of calls made to their call centers do not violate the Payment Card Industry data security standard.
The PCI standards are designed to protect cardholders' account data anywhere in the payment chain. Though the standards are used most often in merchants' payment systems, they are also required for any calls in which people disclose their card account numbers.
"That information is obviously available there in the recordings, so it becomes an area of risk," said Kristyn Emenecker, the principal consultant for solutions marketing at Verint Witness Actionable Solutions, a unit of Verint Systems Inc. in Melville, N.Y. Verint sells call center technology to banks and merchants.
A common way to protect this data is not to record it in the first place; call center systems can be configured to stop a recording when callers reveal their account details.
But Ms. Emenecker said that data security concerns are becoming more important to many financial companies and some are looking for data shields that leave no gaps in their recordings. Verint introduced a system Monday that can encrypt an entire phone call.
It worked with EMC Corp.'s RSA Security of Bedford, Mass., to give RSA's Key Manager, an encryption tool, to customers.
Three Verint customers are using the encryption product, including a large U.S. credit card issuer that Ms. Emenecker would not name, as well as an outsourcer and a mobile phone service provider.
Verint also introduced a feature for clients that do not want to use encryption. Previously, its software would store a call in two or more files, stopping every time the recording stopped because a customer was disclosing confidential information. The software can now be configured to store all the pieces of a single call in a single data file.
The PCI standard describes how companies that store card data must keep it safe. Though it is generally associated with payment systems, such as merchants' point of sale terminals, the broader mandate is that any card data must be stored securely.
Ms. Emenecker said that protecting customer data contained in archived phone calls is not usually a high-priority item for banks and merchants. "It takes them a while to get to this level," she said. "It's not one of the first systems that's looked at."
About 82% of call centers keep recordings, she said, and though she has not seen "anything that would lead me to believe this is a big area of threat among fraudsters," she also said that the information "is still there, and it is a vulnerability" that must be addressed under the PCI standard.
"The standard is clear as day," said Dave Howell, an RSA senior manager of solutions marketing. "The expectation is that organizations encrypt cardholder data in storage, wherever that data is stored."
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., agreed that protecting data in recordings is required under the PCI standard but that it may be overlooked by many companies with call centers.
The current standard is to determine when sensitive details are about to be divulged and pause the recording or mask that portion of it with white noise, Ms. Litan said, but some companies have expressed concern that a determined hacker could find a way to remove the white noise.
In most cases not having the data at all is a better practice than encrypting it, she said. "The best thing for an issuer is to never store the card number at the call center."
