The BBC NEWS has posted an investigation that explains credit card fraud in Indian call centers. They did a far better job than many companies I have worked with that have claimed to provide assurance and security assessment services in India:

A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man after receiving a tip off.

The reporters went undercover. They meet with a man in a cafe who sells them credit card records for $10/record in bulk.

In Delhi they say you can buy anything…about one in seven card numbers we bought were valid…

The reporters then contact the cardholders to alert them and they interview one man.

We saw a pattern. Two other customers had bought the same Norton program after dialing the same number. That suggested a breach of security at the call center handling sales of that Norton product.

Symantec of course called this an isolated incident and “one employee had been removed”. Very convincing security.

In India, in the last fourteen years, there has only been one successful prosecution for the misuse of details stolen from call centers and even that led to a non-custodial sentence.

The BBC then asks the man who sold them the credit card data to explain why he is doing it.

Sounds like it is about time for some India data protection regulation. Will the payment card brands crack down on the call center companies?