Is Pause-and-Resume Effective as a PCI Compliance Strategy?


21 Oct 2021

No it isn't, but good news! There's a better way.

The short answer is no.

If you're seeking solutions to mitigate fraud in your contact centers, you may have heard vendors suggest pause-and-resume. Although it's a widely used solution to assist with PCI compliance, this method of attempting compliance isn't very effective. Essentially pause-and-resume removes only the call recordings from PCI DSS audit scope. Your agents, networks, systems and telephony are still exposed to card data.

What's wrong with pause-and-resume?

This method may be easy, but when used in isolation, it will not make your telephone payments PCI DSS compliant, and ultimately you are left vulnerable to contact center fraud.

Common challenges with this method may include:

  • Difficulty to achieve 100% automation of pause-and-resume.
  • Headaches when you need to upgrade your telephony or IT systems.
  • Expensive and ineffective implementations, despite significant investments of time, to get them working.

But the glaring issue with relying on pause-and-resume is that they leave your agent's desktops and network in scope for PCI DSS compliance.

It's also worth noting that even though the sensitive data isn't being recorded, the agent handling the call is still going to hear it. We encourage a zero-trust security policy, especially with the trend of hybrid and remote working, because whether we like it or not, 61% of fraud can be traced back to the contact center.

A recent Verizon report has found that since 2017, privilege misuse has increased 98%, reminding us that even your employees and business partners can be potential data threats. It is essential not to lose sight of the role humans play in data breaches. Pause-and-resume is not reliable, and the PCI SSC advises companies to implement methods that require no manual intervention to combat the human error element.

How does that apply to your contact center?

It only takes one breach to destroy your business so a zero-trust security model is ideal. Anyone who can see, hear or handle your customers' cardholder data is a threat against a fully secure and PCI DSS compliant contact center.

Our honest opinion

Pause-and-resume is often considered a temporary solution and will only address a small part of the overall compliance issue of call center card data storage. So as regulations tighten, it's crucial for organizations to continue updating their solutions and eliminating the risk of fraud from call centers altogether. This includes preventing cardholder and other personally identifying data from traveling through call recordings, screen recordings, agents, desktops, IT systems and telephony networks.

Here at Eckoh, we recognize every organization has different requirements, and that's why we designed our PCI DSS secure payment solutions to fit around your needs and infrastructure. We are also a Participating Organization with PCI SSC and leverage insight directly from the Council to ensure our solutions are future-proof. Anything changes with the compliance regulations, and we're ready to upgrade to meet the new standards.

If you'd like to know more about secure payments give us a call at 866.258.9297 or drop us an email at