Why not to trust call centres with your Credit Card. And why PCI fails in the real world.

CallCentre1 is PCI compliant. They do not store any credit card data in their databases. When a customer makes a payment with their details, it goes straight through their systems over a secured channel to a payment gateway.

Staff at CallCentre1 also get basic ‘PCI compliance’ training which outlines the relevant section to their daily duties. “Don’t tell a customer their Credit Card details for confirmation, get them to tell you” and the like.

So let’s say a hacker were to infiltrate CallCentre1. If the company were PCI compliant there shouldn’t be any sensitive CC data laying around which the hackers could take, right?
PCI states clearly that ALL data containing this information (and any networks/systems attached) need to meet a certain set of security baselines to be compliant. Therefore the terminology of ‘ALL DATA’ must be adhered to.

Now here is the problem. I have recently noticed what appears to be a breakdown somewhere. Albeit probably a lack of understanding/training (on part of CallCentre1 or PCI Auditor2) an issue has risen which shows that ‘ALL DATA’ is not being understood by someone.

— Let me back paddle into a little story —

The other day I was at a friend’s house having a BBQ. As we enjoyed a few cold beers on the balcony I asked my friend “Where’s your wife?”. “Ah just inside finishing some work off” was the reply. I wasn’t entirely sure what Sally did for work but I knew it was Call Centre related.

As it was my turn to grab the beers and use the bathroom, I wandered through his house until I walked past Sally’s office. As I walked I heard that she was listening to audio on her laptop of a phone call (Call Centre related I assumed). Next thing I know I hear over Sally’s speakers “So it’s a Mastercard.. ugh.. five-oh-six-three….”. As I continued past to use the bathroom I heard the rest of the conversation. Name, Address, Phone Number etc etc.

— back to the point —

Call Centres are under high pressure to perform, and perform ‘good’. When a Call Centre operator calls you, you know how they say at the beginning “This call may be monitored for training purposes” and you agree? This is what I’m talking about.

Call Centres actually save and store ALL calls (The ones I have investigated anyway). Only random selections of these stored conversations are selected by the operator to listen to. This is so their supervisors can give them Quality Assurance ratings to show superiors performance statistics (and perhaps incentives for the staff member). All of the other calls are still stored for lengthy periods of time, and this will be set by company policy. High ‘performance’ call centres, like I said before are under pressure to perform – and this means not losing money, but making money.

These calls are ‘saved’ so if a customer was to call and complain, or dispute a payment or take any type of action, the company and pull the call as evidence. Especially considering legal actions, both internal and external.

And what if this was a sales based call centre? Or a particular sales queue in another type of functioning centre?  How long are these files kept, who can access them, and how are they secured so unauthorised users cannot listen to them?

There are people employed (sometimes mid-level managers, or even low team leaders) who listen to these calls to mark their staff on performance. This is quite a range of ‘low’ privileged people listening to full Personally Identifiable Information and FULL credit card details.

So I asked Sally what she was doing, how it worked and how she was listening to those calls. She provided me with all the information I have stated above (which made me worry a little). She also told me ‘this is how they work at a number of Call Centres she has worked’.

How did Sally get the .wav files remotely to her laptop at home? It could be a one of a hundred un-secured ways, but the answer was… *drum roll*… she emailed it to her personal email account, and downloaded them to her home computer, and listened to them there. Awesome.

Sally already saw where I was going with my questions and shared that she deletes all trace of these .wav files when she is finished and that the ‘remote access system at work’ doesn’t work properly so everyone does it this way.

So I return to my point. I know PCI states ‘ALL DATA’ with CC information needs to be compliant and situations like the above should not happen. But I know CallCentre1 have undergone PCI compliance testing and training. So which one has failed here? And what about the other ‘Call Centres’ that are exactly the same? These are ones who are ‘PCI compliant’ and some of the biggest in Australia. Regardless of how those .wav files got out of the company, I can guarantee you a lot of companies will be overlooking the security of stored phone calls in these type of Centres – and legit staff emailing them out is probably the least of their worries.

If malicious actors had some type of brain I would imagine they would be already exploiting this avenue. I could write another 7 pages on what/how they could get that data which would probably be more confronting, but I will leave this post here as a ‘food for thought’.

If I see this and think ‘Oh shit, even I could break into that company and leech those .wavs’ than I’m sure a lot of other nefarious characters could too.

One thought on “Why not to trust call centres with your Credit Card. And why PCI fails in the real world.

Comments are closed.