Unlocking the truth: How Pause and Resume impacts contact center PCI compliance

iStock-1153675389 1

Using Pause and Resume (or stop/start) recording solutions has been popular in many call and contact centers to prevent sensitive payment data being recorded during customer calls. This approach involves manually or automatically pausing the call recording while the customer shares their payment card details directly with the contact center agent.

Back in 2018, the Payment Card Industry Security Standards Council (PCI SSC) issued robust guidance around ‘Protecting Telephone-Based Payment Card Data’. The revised guidelines showed that Pause and Resume is often ineffective at completely protecting sensitive card data, highlighting that the contact center environment, systems and agents still remain exposed to payment card numbers, leaving this information vulnerable and at risk in a security or data breach.

Data breaches are devastating to an organization, damaging trust, brand reputation and even finances. Permanently pausing Pause and Resume could help you reduce the risk of experiencing a breach in your contact center!

The value of call recordings

Recording client calls is standard practice for most businesses with contact center operations. Even if call recording isn’t mandated in your industry, it can help with everything from call quality control and staff training to analytics and swift dispute resolution. For example, if a customer accuses an agent of poor service, mis-selling or abuse, you can refer to call recordings for the vital evidence you would need to either reject the claim or discipline the employee.

The most stringent regulations relate to how companies handle financial conversations. The US’s Financial Industry Regulatory Authority (FINRA) requires all firms to record all calls between the organization’s registered persons and existing, or even potential customers that discuss anything related to ‘trading activities’. Similarly, the UK’s Financial Conduct Authority (FCA), which regulates financial services organizations, mandates that all calls involving client orders are recorded.

Protecting payment data

With card-not-present (CNP) fraud increasing, and now accounting for around 73% of all payment card fraud, both regulators and brands are looking for ways to better protect cardholder information.

Payment Card Industry Data Security Standard (PCI DSS) compliance rules, prohibit businesses from recording or storing sensitive authentification data such as three or four-digit security codes (CID, CVC2, CVV2 or CAV2). This applies to any organization that handles card payments over the phone, regardless of the industry it operates in.

If companies need or want to record their calls, without capturing sensitive payment card information, they often turn to Pause and Resume. At best, it’s unreliable and requires humans and technology to work perfectly, every time. Unfortunately, this method only provides a level of protection for the call recording itself. So, at worst, it leaves your business and customers at risk of CNP fraud and your organization facing various penalties for breaching PCI DSS and other data protection laws. Here’s why…

Why Pause and Resume doesn’t guarantee security

Pause and Resume can be completed one of two ways: through manual agent actions or via automated Pause and Resume technology. Most firms now use automated systems to avoid human error, i.e., forgetting to pause or restart the recording. However, even automated systems, which have trigger points such as payment software being loaded by agents, don’t guarantee PCI DSS compliant call recording. They can…

  • Make compliance, audits and investigations harder: Some regulatory bodies require calls to be recorded in their entirety (without any breaks). If this doesn’t apply, leaving a section of the call unrecorded complicates any investigations that could relate to it, including fraud or misconduct accusations.
  • Add technical complexity: New ways of working could make the call handling process more complex, potentially increasing customer wait times. If the system’s trigger points aren’t intuitive, or agents want to save time, they may accidentally or intentionally bypass the Pause and Resume process.
  • Negatively impact customer experience: If the technology you use means customers need to be transferred to automated systems or other departments to make payments, it can make the process longer and more tedious. This can be particularly frustrating for organizations such as debt collection agencies, whose customers are unlikely to ring back if they get disconnected or are left waiting too long.
  • Leave fraud on the table: Automated Pause and Resume systems rely on your agents acting with integrity, as they can still see and hear cardholder information. There’s nothing to stop them copying down sensitive card data to misuse outside of work. This risk is heightened in environments where agents are working remotely, at home or call center support is outsourced. Without physical oversight, it can be difficult to monitor and prevent this kind of behaviour.

The compliance issue

Arguably the biggest issue with Pause and Resume is that it does not deliver complete PCI DSS compliance. At a basic level, it only addresses one aspect (the call recording) and can conflict with the compliance requirements of state, federal and other industry governing bodies that mandate all calls must be recorded in their entirety. Preparing for a PCI DSS audit demands meticulous attention to detail, particularly for companies handling card payments over the phone while recording calls.

Companies using Pause and Resume solutions must exhibit robust security controls and procedures to address the risk posed by recording interruptions. This requires undergoing a more detailed, time-consuming, and resource-intensive Self-Assessment Questionnaire D (SAQ-D audit), typically involving around 438 security control measures.

Compliance is a significant, cross-industry issue. Verizon’s Payment Security Report found that just 27.9% of organizations are fully comply with the PCI DSS, with compliance decreasing by an estimated 9% per year.

Switching from Pause and Resume to a more robust and complete PCI DSS compliant solution can help organizations meet all their compliance obligations. More than that, by removing the need for ‘clean rooms’ it can enable organizations to deliver better customer experiences, reduce cyber insurance premiums and operate more flexibly.

Download Infographic Post2

Finding a better solution

Sycurio makes it possible for organizations to achieve PCI DSS compliance while recording calls in their entirety. Solutions like Sycurio.Voice entirely remove the need for Pause and Resume strategies or systems. Customers enter their payment card details directly into their phone keypad or use speech recognition technology and the data is sent straight to the payment service provider (PSP), meaning sensitive cardholder information never enters your contact center infrastructure. That includes call recordings, desktops, IT systems, the physical environment and also your agents.

Our patented payment method uses Dual-Tone Multi-Frequency (DTMF) masking technology so agents don’t hear or see payment card numbers and are never exposed to sensitive data, allowing them to securely process payments from anywhere. Sycurio’s technology allows calls and recordings to continue as normal with no agent intervention or customer disruption, streamlining contact center operations while enhancing customer experience. And, it’s just as effective and secure for remote or outsourced contact center staff to manage, giving organizations more flexibility.

Not only that, it also significantly reduces the burden and cost of becoming and maintaining PCI DSS compliance. Using Sycurio Voice means contact centers only need to complete a SAQ-A. This simpler assessment asks for proof of up to 6 controls, compared to over 400 within a SAQ-D.

Find out more about Sycurio.Voice and why it is the most effective way of ensuring and maintaining contact center compliance and reducing risks compared to Pause and Resume.