What Is Pause and Resume in Call Recording?
In contact centers, "Pause and Resume" refers to the practice of halting call recordings during sensitive payment information exchanges and resuming them afterward. This method aims to prevent the recording of credit card details, thereby assisting in maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS).
TL;DR:
|
Does Pause and Resume Meet PCI DSS Requirements?
Arguably the biggest issue with Pause and Resume is that it does not deliver complete PCI DSS compliance. At a basic level, it only addresses one aspect (the call recording) and can conflict with the compliance requirements of state, federal and other industry governing bodies that mandate all calls must be recorded in their entirety. Preparing for a PCI DSS audit demands meticulous attention to detail, particularly for companies handling card payments over the phone while recording calls.
Companies using Pause and Resume solutions must exhibit robust security controls and procedures to address the risk posed by recording interruptions. This requires undergoing a more detailed, time-consuming, and resource-intensive Self-Assessment Questionnaire D (SAQ-D audit), typically involving around 438 security control measures.
Compliance is a significant, cross-industry issue. Verizon’s Payment Security Report found that just 27.9% of organizations are fully comply with the PCI DSS, with compliance decreasing by an estimated 9% per year.
Why PCI Compliance Matters in Contact Centers
PCI DSS compliance is crucial for contact centers handling payment card information. Non-compliance can lead to severe penalties, including hefty fines and loss of customer trust. Moreover, with the increasing prevalence of card-not-present fraud, safeguarding payment data has become more critical than ever.
Pros and Limitations of the Approach
Pros:
- Prevents Recording of Sensitive Data: When implemented correctly, it can stop the recording of payment card details.
Limitations:
- Manual Errors: Agents may forget to pause or resume recordings, leading to accidental capture of sensitive information.
- Exposure to Agents: Agents might still hear or view card details, increasing the risk of data breaches.
- Incomplete Compliance: Only addresses one aspect of PCI DSS, leaving other areas vulnerable.
Common Compliance Gaps and Risks
Relying solely on Pause and Resume can create significant compliance gaps:
- Manual Processes and Human Error: Dependence on agents to pause and resume recordings introduces the risk of mistakes, potentially capturing sensitive data unintentionally.
- Data Exposure: Even if recordings are paused, agents may still have access to sensitive information, increasing the risk of data breaches.
- Regulatory Challenges: Some regulations require complete call recordings, making Pause and Resume incompatible with such mandates
Alternatives to Pause and Resume for Compliance
To achieve robust PCI DSS compliance, consider the following alternatives:
Secure Voice Capture Solutions
Implementing secure voice capture technologies, such as Dual-Tone Multi-Frequency (DTMF) masking, allows customers to enter payment details directly, preventing agents from accessing sensitive information. This approach reduces the risk of data breaches and simplifies compliance requirements.
Conclusion
While Pause and Resume may offer a temporary solution, it does not provide comprehensive PCI DSS compliance. Adopting secure voice capture technologies ensures better protection of payment data, reduces compliance complexity, and mitigates risks associated with manual errors and data exposure.
FAQs
What is "Pause and Resume" in call recording?
Pause and Resume is a method used in contact centers to temporarily stop call recordings during the exchange of sensitive information—like payment card details—and resume recording afterward. The goal is to prevent this data from being stored in recorded calls.
Is Pause and Resume PCI DSS compliant?
Not fully. While it helps avoid recording cardholder data, it only addresses one part of the PCI DSS requirements. Full compliance involves many more security controls and Pause and Resume alone may not satisfy all applicable regulations.
What are the risks of using Pause and Resume?
- Manual errors – Agents may forget to pause or resume recordings.
- Data exposure – Agents still hear or view sensitive data.
- Regulatory conflicts – Some laws require full call recordings, making Pause and Resume non-compliant.
- Incomplete security – Only protects recording, not the broader data environment.
What kind of audit is required for companies using Pause and Resume?
Organizations must typically complete PCI DSS Self-Assessment Questionnaire D (SAQ-D), the most rigorous type. It includes around 438 security control measures, requiring significant time and resources.
Why is PCI compliance important for contact centers?
Non-compliance can lead to heavy fines, reputational damage, and increased risk of data breaches—especially in environments handling card-not-present transactions over the phone.
Are there better alternatives to Pause and Resume?
Yes. Options like:
- DTMF masking
- Secure voice capture
- Automated redaction
These technologies allow customers to enter payment details without agents seeing or hearing them, reducing both risk and compliance complexity.
Is Pause and Resume still worth considering?
It may be useful as a basic safeguard, but it's not recommended as a standalone PCI DSS solution. It should be supplemented—or replaced—with more secure, automated compliance technologies for long-term effectiveness.
