UK merchants that have yet to make themselves compliant with PCI DSS regulations could be sitting on up to one billion 'toxic legacy call recordings' containing financial data, payments security firm Aeriandi has claimed.

The company didn't offer any evidence beyond anecdote to back up the assertion during its presentation at the PCI London Conference this week but said it was convinced that the data held in these calls – usually generated when consumers buy goods over the phone - could present a significant security risk.

Merchants record the calls as they are required to by the Financial Conduct Authority (FCA) for use in the event of a dispute between the two parties.

Despite a lack of protocols for securing the calls, some firms had stored them going back up to seven years, creating an inadvertent conflict with the Payment Card Industry Data Security Standards (PCI DSS). 

“We believe up to one billion call recordings containing toxic legacy data now exist in the UK as a subset of the tens of billions of overall call recordings made over the past seven years,” said Aeriandi's CEO of card security, Matthew Bryars.
“While it’s fine for most call recordings to be stored in any old storage system, any legacy toxic call recordings must be stored within PCI DSS requirements,” he said.

One brand name firm found it had 140 million old calls, a third of which contained financial data, he said.

“ In most cases toxic legacy data is an issue that most business leaders either don't know exists, or have yet to address,” said Bryars.

Few firms had yet to migrate this 'toxic data' into a secure format, he said. “These merchants have an obligation to wake up to the issue of legacy toxic call recordings, and take urgent steps to deal with it,” he said.