Should we use pause and resume to meet PCI compliance?

Are you seeking solutions to mitigate possible fraud, more specifically in your contact centres? If you process card payments on behalf of customers, you may have heard of the quick-fix pause and resume technology.

Pause and resume was actually recently listed as the most popular adopted method to assist with PCI compliance.

If you haven’t heard of it, pause and resume as a method usually involves an automatic system which stops the recording when sensitive data is being transferred from the caller, and then resumes the call recording once the agent is passed to the payment screen on their system.

Essentially pausing and resuming removes only the call recordings from PCI DSS audit scope. Your agents, networks, systems and telephony are still exposed to card data.

What’s wrong with pause-and-resume?

It doesn’t matter how many times we repeat it, this method may be easy but used in isolation, it will not make your telephone payments PCI DSS compliant and ultimately you are left vulnerable to contact centre fraud. Even though the sensitive data isn’t recorded, it is still exposed to the agent handling the call. And generally the interactions had when taking sensitive card data are the most important and require protection.

Possible side effects of this method may include:

  • Difficulty to actually achieve 100% automation of pause and resume
  • Headaches when you need to upgrade your telephony or IT systems.
  • Expensive and ineffective implementations, despite large investments of time to get them working.

Don’t forget your agent’s desktops and network will still be in scope for PCI compliance.

As a recent Verizon report reveals, even your employees and business partners can be potential threats. It is important to not lose sight of the role humans play in data breaches. 9% of confirmed data breaches over the previous three years were categorized in the insider and privilege misuse pattern. As pause-and-resume is not 100% reliable, the PCI SSC advises companies to implement methods that require no manual intervention.

How does that apply to your contact centre?

It only takes one breach to destroy your business. Anyone that can see, hear or handle your customers cardholder data are threats to the chances of a fully PCI compliant, secure contact centre.

Our honest opinion

Pause and resume is often considered a temporary solution and will only ever address a small part of the overall PCI compliance issue of call centre card data storage. So as regulations have tightened, it is important that you continue to update your solutions and completely remove the risk of fraud from your call centre. This includes preventing card holder data from travelling through call recordings, screen recordings, agents, desktops, IT systems and telephony network.

Here at Eckoh we recognise every organisation has different requirements, and that’s why our PCI DSS Level 1 solutions have been designed to fit around your needs and infrastructure. For expert advice, get in touch today on 01442 458 300.

By: Leora Grace
Loading Conversation

Posted by eckoh at 3:37 PM on May 4, 2016


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


We've all watched on in horror ... as an out-of-control child creates havoc at a…


Are customers mysteriously falling out of love with your business — despite your…