Now that 2025 is here, the clock is ticking toward March 31, when PCI DSS version 4 standards become fully mandatory. Organizations that handle cardholder data have known since 2022 that these future-dated requirements were coming—and the more straightforward requirements already went into effect in 2024. However, the remaining requirements were phased in more slowly because they tend to involve more complicated solutions, larger financial investments, and perhaps even infrastructure changes.
The PCI Security Standards Council itself acknowledges that “these requirements are complex for many entities to implement,” and it is planning to release more guidance later this month.
In the meantime, getting the word out to payment processors that the popular Pause and Resume solution is not a compliant option has taken on increased urgency. The good news: There are actions organizations can take right now to protect payment transactions and descope them from PCI DSS across all engagement channels—voice calls but also AI voicebots and interactive voice response (IVR) systems using phone keypads and voice recognition, as well as instant messaging, chatbots, social media, email, SMS messages, web services, and mobile apps.
The Risks of Relying on Pause and Resume
“Stop/start” call recording in contact centers seems like a simple solution for avoiding sensitive payment card data capture, especially when the pause function is automated to minimize human error. But it ushers in a host of other data security vulnerabilities and compliance problems.
The 12 high-level PCI DSS compliance requirements for contact centers involve 438 security controls covering everything from data and network security to telephony systems and access controls. Pausing recordings addresses only one small aspect—recorded calls—and leaves other areas vulnerable.
While some organizations can pivot to digital engagement channels for payments, avoiding Pause and Resume entirely, it’s more difficult in industries such as financial services and insurance, where the customer journey often includes multiple touchpoints, with voice calls featuring prominently among them. In those industries, there are regulatory requirements that full, uninterrupted call recordings be maintained.
What Happens Next?
If organizations continue to use Pause and Resume after the PCI DSS version 4 requirements are in full effect, banks and credit card acquirers can impose substantial fees for payment processors that are not compliant—or they may elect to end business agreements entirely. Regulators would not impose fines unless a data breach were to occur. In that worst-case scenario, the fines could be substantial.
PCI audits and wider investigations become more comprehensive, costly, and complex when organizations have not descoped their contact centers. There are other potential costs as well, including diminished operations performance, substandard customer experience, and increased risk of expensive data breaches.
If, on the other hand, organizations choose to utilize Sycurio’s patented payment method, their customers simply enter their card details using their telephone keypad, multi-lingual speech recognition, or secure digital payment links. Sycurio’s PCI DSS Level 1 Service Provider infrastructure ensures the transaction completely bypasses the organization’s contact center, which removes them from the complexity and costs of achieving and maintaining PCI DSS compliance. Hundreds of security control headaches vanish.
Sycurio adds the same security element for organizations of all sizes, whether they process 1 million transactions a day or a few hundred, with tens of thousands of agents or a handful. From the customer perspective, the completely seamless experience is measurably better. From the agent perspective, receiving immediate feedback throughout the transaction—and immediate notification when it is successful or invalid—is invaluable.
Finally, Sycurio is a QSA Company and can sign off on certain Payment Card Industry requirements without engaging an external qualified security assessor, which reduces organizations’ external audit time and cost.
Sycurio not only simplifies PCI DSS compliance, it also delivers complete peace of mind for customers. Protecting sensitive data safeguards your brand reputation and protects your staff. Discover how Sycurio can transform your contact center.
