Pause and Resume for PCI Call Recordings – How secure is it?

Payment card fraud is rising by an alarming rate, especially where the cardholder isn’t present for the transactions. As a result, merchants are under increasing pressure to secure their payment channels.

Human/voice payment security is sometimes overlooked by IT System Management which tends to focus on network breach prevention. Over 80% of merchants in the UK collect payment details over the phone using contact centre agents. Card details are often input manually into networks and CRM systems, and recorded in phone calls for quality purposes. This is not only a security risk, but handling card data in this way brings the contact centre directly into scope of a PCI DSS audit.

So, to meet compliance and avoid storing card data on their systems, contact centres are now actively looking at methods to protect these weak areas of security.

Manual pause and resume

When contact centres began tackling PCI DSS a few years ago, it they focussed on securing the point of card storage. Naturally, this meant reviewing the way call recordings of the agent and the caller were handled.

Many contact centres saw a potential easy fix and rushed to buy systems that enabled calls to be paused at the point of payment and resumed after the payment is completed. This put all the security responsibility into the hands of the agent. It wasn't long before flaws in this method became apparent:

  1. Agents have the ability to pause recording whenever they want during the call. This means agents can have unmonitored conversations with callers where they can have a discussion with the caller in secret.
  2. Agents can still hear the payment card details when replayed verbally by the caller that can potentially be copied down.
  3. Agents can forget to start the pause, which leads to sensitive cardholder data being stored in the recordings.
  4. Agents can forget to stop the pause, which leads to the continued masking/blanking of an ongoing conversation, at precisely the time when important details relating to the transaction are being discussed with the customer.

As such, the PCI Security Standards Council advises companies to implement technology that requires 'no manual intervention by staff'.

Automated pause and resume

As an alternative, automated Pause and resume technology was implemented, and is a popular option. The technique automatically stops and starts the recording depending on which screen is being used by the agent.

Although automated Pause and resume goes some way to address the human error aspect of stopping and starting recordings, even the most complex systems still show gaps in security, for instance:

  • It could mean non-compliance with other regulatory bodies such as the Financial Conduct Authority and Ministry of Justice which requires the transactions to be recorded in full. Or impede fraud investigations and dispute resolutions as the recorded conversation was missing valuable content.
  • Transactions cannot be accurately measured for quality purposes when the conversational factors are omitted from recordings.
  • The agents, desktops and network are still in scope of PCI DSS compliance and card data may touch these areas.
  • If existing systems cannot integrate seamlessly with automated pause and resume, it could prove expensive if a new platform is required. Especially if the business uses screen recording as well as call recording.
  • Pause and resume implementations can be very expensive, and ineffective despite large investments of time to get them working. This can, in turn, lead to the introduction of complex and ineffective business processes as 'workarounds'. As one example, a global energy services provider recently described their existing pause and resume setup to us like this:

"We can only accept a card payment from incoming calls due to the integration with the local call recording systems (conducting pause and resume) and the payment applications. In the event that a customer needs to make a card payment during an outbound call, the agent transfers the customer call to another agent as an inbound call. This is a poor customer experience and we have a desire to improve it."

What this shows is that pause and resume solutions only go so far to provide contact centre security. It is a quick fix and will only ever address a small part of the overall PCI DSS compliance issue of contact centre card or personal data storage.

But that’s not all. Today there is a need to comply with GDPR as well and that involves personal data too. PCI DSS compliance solutions can help you meet some of the GDPR criteria.

To completely remove the risk of fraud from your contact centre, it needs IT and Security provision that prevents sensitive data from flowing through the call recordings, screen recordings, agents, desktops, IT systems, physical environment and telephony network..

The answer?

To tighten security in contact centres, and meet the complex PCI DSS audit and GDPR requirements, more contact centres are implementing technologies where the caller enters their card or personal details through their telephone keypad. For instance, Eckoh's CallGuard solution prevents the agent from being exposed to sensitive data, while allowing the customer to stay on the phone with the caller at all times while their payment or details are being taken. Minimal agent intervention is needed and the system hides card entries and personal data on the agent screen and blocks the DTMF tones from being recorded. It also enables PCI DSS call recordings to continue without interruption.

This approach is proving to be popular with contact centres that are aiming to increase the volume of home-based and remote agents to their workforce as they can use the same security systems as their premise-based colleagues. Using a PCI DSS accredited Service Provider also means they can continue to run their busy operation without distraction.

As fraudsters target new and more vulnerable payment areas, and PCI standards continue to reinforce regulations, more organisations are realising that DTMF masking technology like CallGuard helps to reduce the scope of the PCI DSS audit as well as contribute to GDPR compliance.

Download our eGuides for deeper insight into CNP crime in contact centres and our Definitive Guide to PCI DSS.

Loading Conversation

Posted by eckoh at 6:42 PM on Nov 2, 2015


Recent Posts

Does it feel like it's panto season in your contact centre every day? If so,…


We've all watched on in horror ... as an out-of-control child creates havoc at a…


Are customers mysteriously falling out of love with your business — despite your…