Pause and Resume for PCI Call Recordings – How Secure Is It?
Payment card fraud is rising by an alarming rate, especially where the cardholder isn’t present for the transactions. As a result, merchants are under increasing pressure to secure their payment channels.
Human/voice payment security is sometimes overlooked by IT System Management which tends to focus on network breach prevention. Over 80% of merchants in the UK collect payment details over the phone using contact center agents. Card details are often input manually into networks and CRM systems, and recorded in phone calls for quality purposes. This is not only a security risk, but handling card data in this way brings the contact center directly into scope of a PCI DSS audit.
To meet compliance and avoid storing card data on their systems, call centers are now actively looking at methods to protect these weak areas of security.
Manual Pause and Resume
When call centers began tackling PCI DSS a few years ago, it they focused on securing the point of card storage. Naturally, this meant reviewing the way call recordings of the agent and the caller were handled.
Many call centers saw a potential easy fix, and rushed to buy systems that enabled calls to be paused at the point of payment, and resumed after the payment is completed. This put all the security responsibility into the hands of the agent. It wasn't long before flaws in this method became apparent:
- Agents have the ability to pause recording whenever they want during the call. This means agents can have unmonitored conversations with callers where they can have a discussion with the caller in secret.
- Agents can still hear the payment card details when replayed verbally by the caller that can potentially be copied down.
- Agents can forget to start the pause, which leads to sensitive cardholder data being stored in the recordings.
- Agents can forget to stop the pause, which leads to the continued masking/blanking of an ongoing conversation, at precisely the time when important details relating to the transaction are being discussed with the customer.
As such, the PCI Security Standards Council advises companies to implement technology that requires 'no manual intervention by staff'.
Automated Pause and Resume
As an alternative, Automated Pause and Resume technology was implemented, and is a popular option. The technique used automatically stops and starts the recording depending on which screen is being used by the agent.
Although automated Pause and Resume goes some way to address the human error aspect of stopping and starting recordings, even the most complex systems still show gaps in security, for instance:
- It could mean non-compliance with other regulatory bodies such as the Financial Conduct Authority and Ministry of Justice which requires the transactions to be recorded in full. Or impede fraud investigations and dispute resolutions as the recorded conversation was missing valuable content.
- Transactions cannot be accurately measured for quality purposes when the conversational factors are omitted from recordings.
- The agents, desktops and network are still in scope of PCI compliance and card data may touch these areas.
- If existing systems cannot integrate seamlessly with automated pause and resume, it could prove expensive if a new platform is required. Especially if the business uses screen recording as well as call recording.
- Pause and resume implementations can be very expensive, and ineffective despite large investments of time to get them working. This can, in turn, lead to the introduction of complex and ineffective business processes as 'workarounds'. As one example, a global energy services provider recently described their existing pause and resume setup to us like this:
"We can only accept a card payment from incoming calls due to the integration with the local call recording systems (conducting Pause and Resume) and the Payment applications. In the event that a customer needs to make a card payment during an outbound call, the agent transfers the customer call to another agent as an inbound call. This is a poor customer experience and we have a desire to improve it."
What this shows is that pause and resume solutions only go so far to provide contact center security. It is a quick fix and will only ever address a small part of the overall PCI compliance issue of call center card data storage.
To completely remove the risk of fraud from your call center, it needs IT and Security provision that prevents card holder data from flowing through the call recordings, screen recordings, agents, desktops, IT systems, physical environment and telephony network.
To tighten security in contact centers, and meet the complex PCI DSS audit requirements, more contact centers are implementing technologies where the caller enters their card details through their telephone keypad. For instance, Eckoh's CallGuard solution prevents the agent from any exposure to cardholder data, while allowing the customer to stay on the phone with the caller at all times while their payment is being taken. Minimal agent intervention is needed and the system hides card entries on the agent screen and blocks the DTMF tones from being recorded. It also enables PCI call recordings to continue without interruption.
This approach is proving to be popular with contact centers that are aiming to increase the volume of home based and remote agents to their workforce as they can use the same security systems as their premise-based colleagues. Using a PCI DSS accredited service provider also means they can continue to run their busy operation without distraction.
As fraudsters target new and more vulnerable payment areas, and PCI standards continue to reinforce regulations, more organizations are realizing that DTMF masking technology like CallGuard helps to reduce the scope of the PCI DSS audit.
While some travel agents will be dreading the arrival of new card payment rules…
Imagine getting a burglar alarm fitted to your home. The company does a great…