Many call and contact centers still rely on Pause and Resume as their go-to method for avoiding recording sensitive payment card data on phone calls. The process is triggered when a customer service representative (CSR) temporarily pauses or mutes the recording of a phone call at the point of payment, typically when a customer is ready to read out their payment card details, while the CSR inputs the shared credit or debit card numbers into a payment page or system for processing. Once the payment has been made, the recording resumes and continues capturing the remainder of the call/conversation.
At first glance, Pause and Resume might seem like a safe, simple, and compliant way of taking payments over the phone. But it can inadvertently expose contact center staff and the wider contact center infrastructure to sensitive payment data, potentially leaving them in serious breach of Payment Card Industry Data Security Standard (PCI DSS) compliance and other regulations.
But what exactly are Pause and Resume’s flaws, and are there any workable alternatives that can help contact centers achieve better data security and ensure PCI DSS compliance?
The hidden trap of Pause and Resume and why it’s a data security risk
On the surface, Pause and Resume seems like a quick-fix solution for businesses taking payments over the phone; allowing them to comply with PCI DSS regulations while maintaining the ability to record customer conversations.
With financial regulators, such as the Financial Industry Regulatory Authority (FINRA) in the US and the Financial Conduct Authority (FCA) in the UK, mandating an uninterrupted recording of customer calls in certain contexts, have contact centers really got it covered? Pausing and resuming call recordings means that companies have incomplete records of conversations and transactions, making the entire recording useless in the case of investigating any disputes or carrying out audits.
Manual Pause and Resume systems, for instance, rely on CSRs remembering to record, pause, and resume calls at the right time throughout customer conversations, leaving the door open for human error or manipulation. This can lead to unethical customer conversations not being included on recordings.
However, automated Pause and Resume solutions are not the answer either. While they can reduce human error, they too are not the magical fix. Often, they require complex integrations with other systems and technologies to operate correctly and provide relevant information in dispute resolution cases.
A data security illusion
Pause and Resume solutions can create a dangerous illusion of data security. The problem extends far beyond the recorded call itself. Astonishingly, whether you are using manual or automated Pause and Resume systems, CSRs can still hear customer payment information being read out despite the recording being paused and they then are required to input the numbers into their systems. It leaves sensitive, highly confidential financial data exposed to contact center staff and permeates the wider call center environment, including desktops, IT systems, the physical environment, and telephony - making organizations extremely vulnerable to fraud and severe data breaches.
The PCI DSS is clear – all merchants and service providers that take or store customer payment data over the phone need to comply. Comprising 12 high-level compliance requirements, PCI DSS compliance for contact centers involves 438 security controls relating to everything from data security, network security, telephony systems, access controls, physical security, and more. Crucially, it prevents contact centers from recording and storing sensitive authentication data, such as CID, CVC2, CVV2, or CAV2.
Pausing your call recording only addresses ONE small aspect (call recordings) leaving the rest of your contact center vulnerable. This is one explanation why, according to Verizon’s Payment Security Report, only 27.9% of businesses fully comply with PCI DSS.
There is a common misperception that Pause and Resume, by not directly resulting in the recording and storing of sensitive authentication data, is compliant – but it isn’t. Where human error unintentionally results in sensitive payment data being recorded, it will need to be removed manually before the call can be stored. But PCI DSS prohibits this – any manual manipulation of recorded data is a serious violation of the Security Standard.
Balancing risk and scope
Given the inherent compliance risks that Pause and Resume systems present, businesses operating these methods also need to contend with the regulatory burden of proof that comes with them.
To prove compliance with the PCI DSS’s 438 controls, businesses need to carry out self-assessments based on how far within the PCI DSS’s scope the business falls. For businesses using Pause and Resume, this means a complex SAQ-D assessment, which is both a costly and time-consuming process to navigate.
Fortunately, Dual-Tone Multi-Frequency (DTMF) masking solutions like Sycurio.Voice offer a clear alternative and a simpler path to compliance. By ‘de-scoping’ sensitive data from the contact center environment, these solutions can significantly reduce the PCI DSS burden. Contact centers using Sycurio.Voice may only need to complete an SAQ-A self-assessment audit, requiring proof of compliance with just six controls. This translates to a streamlined, simpler and more cost-effective route toward achieving full PCI DSS compliance.
Moving beyond Pause and Resume isn't just about safeguarding sensitive information – it’s about streamlining your entire compliance process. So, how do you eliminate the compliance burden of Pause and Resume while maintaining your valuable call records?
Record with confidence and streamline data security with Sycurio.Voice
Imagine capturing all call interactions securely and compliantly; eliminating the inefficiencies and considerable security risks associated with Pause and Resume. Sycurio.Voice makes this a reality.
Here are just some of the many benefits for your contact center operations:
- No more muting: Customers enter payment details directly using their keypad or a secure voice recognition feature. Sensitive data never enters the contact center environment, cutting the risk of exposure for agents and call recordings
- Water-tight security: Sycurio.Voice goes beyond masking payment information. It utilizes a patented payment method using DTMF masking to conceal all keypad tones, preventing them from being deciphered even from recordings
- Record everything, risk nothing: Safeguard your contact center by preventing payment card data from entering your entire environment. The result is a seamless and secure payment experience for both customers and agents
- Compliance made easy: By ‘de-scoping' sensitive data, Sycurio.Voice significantly reduces your PCI DSS burden. Self-assessments become a breeze, freeing up time and resources for your business
- Frictionless payments, happier customers: Say goodbye to transfers and dropped calls during payments. Sycurio.Voice keeps customers on the line, streamlining the process and reducing Average Handling Time (AHT)
- Flex your contact center workforce: Sycurio.Voice allows for flexible working, including outsourcers and remote workers, ensuring you can take and process payments securely from any location
- Slash your security costs: By ‘de-scoping’ PCI DSS, you can reduce your cyber-security premiums
Sycurio.Voice not only simplifies PCI DSS compliance, it also delivers complete peace of mind for customers. Protecting sensitive data safeguards your brand reputation and protects your staff. Discover how Sycurio.Voice can transform your contact center.
