Posted inPCI DSS compliance
Are you seeking solutions to mitigate possible fraud, more specifically in your contact centres? If you process card payments on behalf of customers, you may have heard of the quick-fix pause and resume technology.
Pause and resume was actually recently listed as the most popular adopted method to assist with PCI compliance.
If you haven’t heard of it, pause and resume as a method usually involves an automatic system which stops the recording when sensitive data is being transferred from the caller, and then resumes the call recording once the agent is passed to the payment screen on their system.
Essentially pausing and resuming removes only the call recordings from PCI DSS audit scope. Your agents, networks, systems and telephony are still exposed to card data.
What’s wrong with pause-and-resume?
It doesn’t matter how many times we repeat it, this method may be easy but used in isolation, it will not make your telephone payments PCI DSS compliant and ultimately you are left vulnerable to contact centre fraud. Even though the sensitive data isn’t recorded, it is still exposed to the agent handling the call. And generally the interactions had when taking sensitive card data are the most important and require protection.
Possible side effects of this method may include:
- Difficulty to actually achieve 100% automation of pause and resume
- Headaches when you need to upgrade your telephony or IT systems.
- Expensive and ineffective implementations, despite large investments of time to get them working.
Don’t forget your agent’s desktops and network will still be in scope for PCI compliance.
As a recent Verizon report reveals, even your employees and business partners can be potential threats. It is important to not lose sight of the role humans play in data breaches. 9% of confirmed data breaches over the previous three years were categorized in the insider and privilege misuse pattern. As pause-and-resume is not 100% reliable, the PCI SSC advises companies to implement methods that require no manual intervention.
How does that apply to your contact centre?
It only takes one breach to destroy your business. Anyone that can see, hear or handle your customers cardholder data are threats to the chances of a fully PCI DSS compliant, secure contact centre.
Our honest opinion
Pause and resume is often considered a temporary solution and will only ever address a small part of the overall PCI compliance issue of call centre card data storage. So as regulations have tightened, it is important that you continue to update your solutions and completely remove the risk of fraud from your call centre. This includes preventing card holder data from travelling through call recordings, screen recordings, agents, desktops, IT systems and telephony network.
Here at Eckoh we recognise every organisation has different requirements, and that’s why our PCI DSS Level 1 solutions have been designed to fit around your needs and infrastructure. Read our Definitive Guide to PCI DSS compliance for more answers.
Latest Blog Items
Wednesday, 19 February 2020 What if your contact centre was a car?Imagine, you buy a car and you buy a three-year care plan so all your servicing and repairs are covered. After three years you opt for an extended care plan for another two years - it's a bit more expensive, but the car is doing just what you need and you don't want to change.
Tuesday, 18 February 2020 Contact Centre of the Future Part 4 - PaymentsHow will customers make purchases via the Contact Centre of the Future? In the fourth part of our series, Ashley Burton, Head of Product at Eckoh, examines what's ahead for payments.
Tuesday, 11 February 2020 Challenge #5: Help when purchasers wobble at the checkoutAre your online customers getting cold feet on the final payment screen — and giving up? If so, there's an effective tool you can use to get them over line.