The overwhelming majority of UK contact centres are storing audio recordings of calls that contain customer credit card details - in direct breach of PCI DSS guidelines, according to a poll from Veritape.
The call recording vendor, which polled 133 contact centre managers, says the centres are creating a vast reservoir of sensitive data that could be exploited by hackers.
More than nineteen in twenty of the centres which store recordings of transactional conversations with their customers do not delete or mask the credit card details.
This is despite the fact that clause 3.2.2 of the PCI Data Security Standard sys: "Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions."
The poll shows that just 39% of respondents are aware of industry guidelines that stipulate that call centres must not store credit and debit card information once a transaction is complete. Just three per cent of call centres contacted by Veritape were compliant with the guidelines.
When asked why they are not compliant, 61% say they were unaware of guidelines. A further 18% are aware but say they couldn't comply for technical or budgetary reasons. Some - 11% - are aware but were ignoring it.
Cameron Ross, MD, Veritape, says: "What we have is a global industry standard that is routinely ignored by call centres throughout the UK. The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk."