A sector out of control. Shopping by phone puts millions of callers at risk of fraud and identity theft

A nationwide poll of call centre managers by audio recording company Veritape shows that 97 per cent of call centres routinely and consistently either ignore or deliberately flout data security rules and best practice by keeping confidential personal records (including PIN and security codes and other sensitive customer data) on insecure servers within the call centre itself rather than deleting the records or locating the data elsewhere in guaranteed secure surroundings and circumstances.

Such practices are in direct contravention of global standards promulgated by the industry body the Payment Card Industry Data Security Council and demonstrate that voluntary regimes like this are little more than a PR-inspired sop designed to allay public concerns but, in practice, are unenforceable and completely without teeth or meaningful sanction.

For its survey, Veritape surveyed 133 British call centre managers and found that just three per cent of them comply with industry guidelines - truly an indictment of the basic worthlessness of self-regulation on this hugely important area.

What sanction can the PCI possibly take against those that so blatantly and regularly ignore its rulings? Drum them out of the club? Send them a sharply-worded rebuke? Report them to the Data Protection authorities? No, of course not. If it did that it would be like a turkey voting for Christmas - and someone's sinecure of a job would disappear.

As the research show, the truth of the matter is that rather than deleting details of transactional conversations with customers - as they are required to do - 19 out of 20 call centres just store them; insecurely and indefinitely.

The managing Director of Veritape, Cameron Ross, says: “The storage of this actionable data creates a huge reservoir of sensitive information that is putting the financial resources of millions of people at risk. This practice ought to send a shiver up the spine of card holders and is wholly unnecessary.”

PCI regulations state that the three digit security code on the back of credit and debit cards cannot be retained and stored. Further, it requires that "sensitive authentication data" must not be stored after authorisation - even in encrypted format. However, the great majority of call centres simply ignore the rule and keep details anyway.

As Cameron Ross adds, “What we have is a global industry standard that is routinely ignored by call centres throughout the UK. The storage of this actionable information is putting the financial resources of millions of people at risk. Despite clean desk policies and the use of encryption, successful hacking incidents are rising steadily.”

And so they are. It's already easy enough for hackers to gain access to credit and debit card numbers, as the lamentable state of UK computer security and the appalling numbers of incidents where the personal data of tens and hundreds of thousands of individuals is lost and compromised show only too well.