recording and storing CVV details illegal?

t3rm3y

I was under the impression that a company cannot record and/or store a CVV number (3 digits), its ok to record the long number, but they have to pause, turn off or have a recording system which does not record the 3 digits i.e. if entered into the phone the recording stops when dial tones are detected..

I just rang EE to pay an over due bill(their mistake, not mine) and started to give my details then asked if calls recorded and I was told yes, so i asked if they pause or stop the recordings for my card details but the girl said he has no way to interact with the record, its just on the system - so if this is the case EE (possibly other mobile providers) will have all these illegal recordings and i would like this reported and investigated - who should i go to to do this?
i imagine the recordings are relatively safe and secure, possibly in a data centre, but we all no hackers get into anywhere these days, and it only takes a disgruntled employee with necessary access to leak data.

or she may have been wrong and EE dont record them, but i would still like it looked into.

Or, i may be wrong and they are allowed to record the number as long as as a certain level of encryption or something is used? but i still didnt think you could do this...

chattychappy

Nothing "illegal" in the sense there is a law about these things. (Except perhaps data protection which wouldn't really apply here.)

The merchant agreement would govern this sort of thing. An organisation such as EE would likely have a merchant agreement which allows them to do what they do.

EarthBoy

It's not illegal to record the CVV, i.e. there's no law against it. I think it contravenes the PCI DSS, i.e. the Payment Card Industry Data Security Standard, but I don't know how legally enforceable that code is.

I think few call centres would be able to record a call whilst blocking the CVV. In the only one I know of the operator has to physically press a button to switch the call recording off whilst the card details are being taken. I wouldn't trust any system which claims to be advanced enough to do this automatically.

Personally, I wouldn't bother complaining as I suspect most call centres are the same. If you want to pursue it you need to follow EE's complaints procedure first.

t3rm3y

thanks for replies, if its standard practice then so be it, i was just under impression it was not allowed, but i could only find stuff to do with a PCI SSC ruling. thank for replies though chaps.

meer53

I don't know what you're worried about really.

Just take a second to stop and think about how many times a day card/bank details are given over the phone/internet. How many times a day are cards physically used in stores ? A bit of perspective is needed here.

jonesMUFCforever

t3rm3y wrote: »

I was under the impression that a company cannot record and/or store a CVV number (3 digits), its ok to record the long number, but they have to pause, turn off or have a recording system which does not record the 3 digits i.e. if entered into the phone the recording stops when dial tones are detected..

I just rang EE to pay an over due bill(their mistake, not mine) and started to give my details then asked if calls recorded and I was told yes, so i asked if they pause or stop the recordings for my card details but the girl said he has no way to interact with the record, its just on the system - so if this is the case EE (possibly other mobile providers) will have all these illegal recordings and i would like this reported and investigated - who should i go to to do this?
i imagine the recordings are relatively safe and secure, possibly in a data centre, but we all no hackers get into anywhere these days, and it only takes a disgruntled employee with necessary access to leak data.

or she may have been wrong and EE dont record them, but i would still like it looked into.

Or, i may be wrong and they are allowed to record the number as long as as a certain level of encryption or something is used? but i still didnt think you could do this...

Why not pay by internet banking then rather than on the phone?

st999

Why not pay by internet banking then rather than on the phone?

What and have his neighbour who is hacked into his computer know all his banking details?

grumbler

meer53 wrote: »

I don't know what you're worried about really.

Just take a second to stop and think about how many times a day card/bank details are given over the phone/internet.... A bit of perspective is needed here.

Indeed. Companies store full card details, but security of their online accounts is typically much worse than of banks' online accounts.
There were many cases of Betfair accounts hacked, money deposited from a registered card and 'lost' to an accomplice with BF account. Betfair typically just wash their hands. So do the banks when it comes to disputed gambling transactions.

This could never happen if the CVV wasn't stored.

How many times a day are cards physically used in stores ?

And? The CVV exists exactly to make cardholder not present transactions more secure as the main card details are far too easy to get compromised.
Ideally, the CVV has to be checked by the payment provider directly (like VBV, MCSC), bypassing the retailer.

Roger1

I have seen hotel reception staff copying CVV details on checking in. Totally wrong as hotels can charge extras after checkout if necessary without CVV details.

Once was in South Africa, checking in at a 4* hotel in Cape Town. The SA system requires the hotel to note:

• name
• home address
• passport details
• phone numbers

Add credit card number (already given on reservation) and CVV info and you have the perfect opportunity for Identity Theft. :mad:

I protested and they said they would delete the CVV info.

It happened again last week at a 5* hotel in Shannon. Room was invoiced to British Airways (irrops) so the card info was for any extras. They said they would delete the CVV info.

CVV info is for 'card not present' transactions, typically online and on the phone. Other use is dishonest, potentially criminal and must be outside the merchants' T+Cs.

debtfreeby30:S

Just out of interest Roger1 how do you expect a hotel to charge for extras after checkout without the CVV code if it is required for card not present transactions? Yes, they could run it through as a card present transaction and pretend you signed the receipt but surely this option is even worse than not entering the CVV code?

xHannahx

I don't know about the mobile phone companies, but certain regulated businesses have to record all calls in full. They would be in breach of regulations if they didn't record you giving the CVV code. Those regulations also stipulate how long the call has to be saved for.