Posted inPCI DSS compliance
Are you seeking solutions to mitigate possible fraud, more specifically in your contact centres? If you process card payments on behalf of customers, you may have heard of the quick-fix pause and resume technology.
Pause and resume was actually recently listed as the most popular adopted method to assist with PCI compliance.
If you haven’t heard of it, pause and resume as a method usually involves an automatic system which stops the recording when sensitive data is being transferred from the caller, and then resumes the call recording once the agent is passed to the payment screen on their system.
Essentially pausing and resuming removes only the call recordings from PCI DSS audit scope. Your agents, networks, systems and telephony are still exposed to card data.
What’s wrong with pause-and-resume?
It doesn’t matter how many times we repeat it, this method may be easy but used in isolation, it will not make your telephone payments PCI DSS compliant and ultimately you are left vulnerable to contact centre fraud. Even though the sensitive data isn’t recorded, it is still exposed to the agent handling the call. And generally the interactions had when taking sensitive card data are the most important and require protection.
Possible side effects of this method may include:
- Difficulty to actually achieve 100% automation of pause and resume
- Headaches when you need to upgrade your telephony or IT systems.
- Expensive and ineffective implementations, despite large investments of time to get them working.
Don’t forget your agent’s desktops and network will still be in scope for PCI compliance.
As a recent Verizon report reveals, even your employees and business partners can be potential threats. It is important to not lose sight of the role humans play in data breaches. 9% of confirmed data breaches over the previous three years were categorized in the insider and privilege misuse pattern. As pause-and-resume is not 100% reliable, the PCI SSC advises companies to implement methods that require no manual intervention.
How does that apply to your contact centre?
It only takes one breach to destroy your business. Anyone that can see, hear or handle your customers cardholder data are threats to the chances of a fully PCI DSS compliant, secure contact centre.
Our honest opinion
Pause and resume is often considered a temporary solution and will only ever address a small part of the overall PCI compliance issue of call centre card data storage. So as regulations have tightened, it is important that you continue to update your solutions and completely remove the risk of fraud from your call centre. This includes preventing card holder data from travelling through call recordings, screen recordings, agents, desktops, IT systems and telephony network.
Here at Eckoh we recognise every organisation has different requirements, and that’s why our PCI DSS Level 1 solutions have been designed to fit around your needs and infrastructure. Read our Definitive Guide to PCI DSS compliance for more answers.
If you'd like to know more about secure payments then get in touch.
Latest Blog Items
Wednesday, 02 September 2020 Winning, losing & regaining customers in the COVID-19 eraWhat was the impact on your customer journey?
Wednesday, 01 July 2020 Remote working for contact centres: Critical next steps, beyond the crisisRemote working — is here to stay. How to make sure security is not compromised
Friday, 19 June 2020 Nine things that bug you about PCI DSS complianceCompliance with the Payment Card Industry Data Security Standard (PCI DSS) helps companies to demonstrate they can process card payments securely and reduce card fraud.