Pause and Resume: PCI Compliance in Contact Centers

What Is Pause and Resume in Call Recording?

In contact centers, "Pause and Resume" refers to the practice of halting call recordings during sensitive payment information exchanges and resuming them afterward. This method aims to prevent the recording of credit card details, thereby assisting in maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Why PCI Compliance Matters in Contact Centers

PCI DSS compliance is crucial for contact centers handling payment card information. Non-compliance can lead to severe penalties, including hefty fines and loss of customer trust. Moreover, with the increasing prevalence of card-not-present fraud, safeguarding payment data has become more critical than ever.

Does Pause and Resume Meet PCI DSS Requirements?

Arguably the biggest issue with Pause and Resume is that it does not deliver complete PCI DSS compliance. At a basic level, it only addresses one aspect (the call recording) and can conflict with the compliance requirements of state, federal and other industry governing bodies that mandate all calls must be recorded in their entirety. Preparing for a PCI DSS audit demands meticulous attention to detail, particularly for companies handling card payments over the phone while recording calls.

Companies using Pause and Resume solutions must exhibit robust security controls and procedures to address the risk posed by recording interruptions. This requires undergoing a more detailed, time-consuming, and resource-intensive Self-Assessment Questionnaire D (SAQ-D audit), typically involving around 438 security control measures.

Compliance is a significant, cross-industry issue. Verizon’s Payment Security Report found that just 27.9% of organizations are fully comply with the PCI DSS, with compliance decreasing by an estimated 9% per year.

Pros and Limitations of the Approach

Pros:

• Prevents Recording of Sensitive Data: When implemented correctly, it can stop the recording of payment card details.

Limitations:

• Manual Errors: Agents may forget to pause or resume recordings, leading to accidental capture of sensitive information.
• Exposure to Agents: Agents might still hear or view card details, increasing the risk of data breaches.
• Incomplete Compliance: Only addresses one aspect of PCI DSS, leaving other areas vulnerable.

Common Compliance Gaps and Risks

Relying solely on Pause and Resume can create significant compliance gaps:

• Manual Processes and Human Error: Dependence on agents to pause and resume recordings introduces the risk of mistakes, potentially capturing sensitive data unintentionally.
• Data Exposure: Even if recordings are paused, agents may still have access to sensitive information, increasing the risk of data breaches.
• Regulatory Challenges: Some regulations require complete call recordings, making Pause and Resume incompatible with such mandates .Sycurio

Alternatives to Pause and Resume for Compliance

To achieve robust PCI DSS compliance, consider the following alternatives:

Secure Voice Capture Solutions

Implementing secure voice capture technologies, such as Dual-Tone Multi-Frequency (DTMF) masking, allows customers to enter payment details directly, preventing agents from accessing sensitive information. This approach reduces the risk of data breaches and simplifies compliance requirements.

Conclusion

While Pause and Resume may offer a temporary solution, it does not provide comprehensive PCI DSS compliance. Adopting secure voice capture technologies ensures better protection of payment data, reduces compliance complexity, and mitigates risks associated with manual errors and data exposure.