1

I just made a new contract over the phone with my mobile phone provider and I needed to pay the activation fee. The lady told me that they could accept only credit cards and asked me for the full details (number, expiry date, and security code, the usual stuff) over the phone.

However, she took the details personally (to input them in whatever database they use) and the calls are recorded.

I am now concerned about the security of my information: not only she has full access to my credit card, but also whoever listens to the recording. It's a big and well-known provider, so I don't think they could do something shady, but it still bothers me. Is it really acceptable? Should I have refused?

(Note: I live in Switzerland and I don't know exactly what are the data protection regulations here)

schroeder
  • 123,438
  • 55
  • 284
  • 319
user10149660
  • 13
  • 2
  • Assuming it is digitally recorded, and given your location, it would seem GDPR would place significant requirements on the provider and give you the opportunity to have them purge that data. https://gdpr-info.eu/art-17-gdpr/ – Sean E. M. May 06 '20 at 15:56

2 Answers2

3

They are allowed to record everything but the SAD (Secure Authentication Data, the security code that's printed on the back of the card) as long as they encrypt the recording or otherwise scramble it. To quote the PCI SSC Information Supplement Protecting Telephone-Based Payment Card Data:

Use strong cryptography to protect any CHD that is stored - for example, in audio recordings or in a database - or otherwise render the stored data unreadable - for example, via truncation or hashing. Sensitive authentication data (SAD) must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment.

Other precautions are laid out, such as making sure call center employees do not have note pads or cell phones with which they can make copies of your card data.

Unfortunately, you have no way of knowing which precautions are in place. It's common for a merchant to take your call off recording for the recitation of card details, and return to recording after that's done. Usually this is announced to the caller, but it need not be. And there's no way for you to know what encryption they may or may not be using for the recordings.

For what it's worth, the risk you face here is no greater - and probably lower - than you face every time you hand your card to restaurant waitstaff and allow them to take it away in order to charge your card.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • For that matter, some call centers have systems that _kick the agent off that portion of the call_, specifically so that the agent never hears the credit card number, instead using voice recognition systems to save (and presumably tokenize) the card details. – Clockwork-Muse May 06 '20 at 16:45
  • How do I find out if they actually are/should be PCI compliant? Besides, _making sure call center employees do not have note pads or cell phones_ might be hard with this whole work from home situation... – user10149660 May 06 '20 at 18:44
  • Unfortunately, @user10149660, PCI compliance is not set up in a way that allows you, the customer, to have insight into the merchant's compliance status. – gowenfawr May 06 '20 at 18:47
0

Modern credit cards implement advanced security measures to protect from fraudulent transactions.

Credit card processors still accept outdated transaction protocols. They do because of an agreement with the merchant, but the merchant takes full responsibility over disputed transactions.

By the way, the credit card holder name is never part of the transaction. See Q&A.

  • PAN and expiry date

This is the basic and less secure way to charge a card. Amazon still uses it. They take the risk.

In this case, the bank won't be reluctant to cancel almost any transaction you might want to dispute.

  • PAN, expiry date and CVV

Dispute terms are similar, but if you start to dispute a lot of transactions your bank might start to be suspicious.

  • PAN, expiriy date, CVV2 and OTP

This is the toughest authentication, and this is the point I wanted to discuss. Now you will have a very hard time disputing a transaction. This mechanisms keeps the merchant safer from disputes.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35