Why Pause & Resume Call Recording Isn’t Enough:
Call recording is an essential process for many contact centres. It allows businesses to monitor, train, and evaluate the quality of their customer service interactions, which can be critical for maintaining customer satisfaction and loyalty. Of course, for some industries, it is also a regulatory requirement.
Many contact centres handle customer payments, and when it comes to call recording, these businesses need to be aware of the PCI compliance implications around any Pause & Resume call recording solution.
Pause & Resume is a feature that allows contact centre agents to temporarily halt the recording of a call, typically when sensitive information, such as credit card data, is being exchanged. This feature is often promoted as a solution for achieving PCI compliance. However, Pause & Resume solutions have the potential to expose organisations and contact centres to unnecessary risk, threats and non-compliance.
What are the risks?
When a call is paused, the sensitive information being exchanged during the call is still being stored in the system, albeit temporarily. The temporary storage of sensitive information increases the risk of data breaches or unauthorised access, especially if the data is not encrypted or secured correctly. While Pause & Resume might prevent sensitive information from being recorded, it does not eliminate the risks of storing such data.
1. The limitations of manual controls
A Pause & Resume solution relies on manual controls, meaning that the agent needs to remember to pause and resume the recording at the appropriate times. This creates the risk of human error, which can lead to non-compliance and potential breaches. Furthermore, manual controls can easily be overridden, intentionally or unintentionally, putting sensitive information at risk and increasing the pressure on the agent.
2. The limitations of contact centre infrastructure
Pause & Resume solutions depend on the capabilities of the organisation’s infrastructure, such as the recording system and the telephony platform. If the infrastructure cannot support Pause & Resume functionality, or if the feature is misconfigured, the ability to pause and resume recordings may not be available, resulting in non-compliance and an increased data risk.
3. The limitations of PCI compliance requirements
PCI compliance is not just about pausing and resuming call recordings. There are many other requirements that businesses need to meet to be fully compliant, such as maintaining secure networks, regularly monitoring and testing security systems, and providing ongoing security training to staff. Using Pause & Resume for call recording does not address these other requirements. Therefore, businesses could still be at risk of non-compliance. At best, Pause & Resume would mean that your call recordings are PCI compliant, however that still leaves your infrastructure and agents in-scope of PCI DSS.
With more organisations operating remote or hybrid working, the Pause & Resume process does not descope agents or agents’ desktops unless a clean room environment is enforced. Ensuring work environments are threat-free is challenging to administer or control remotely, meaning sensitive payment data could be captured or stored illegally if the agent neglects to pause, or employees could even capture the data.
While the Pause & Resume function may seem like a simple solution for achieving PCI compliance, more is needed. Businesses that rely on call recording for their operations need to be aware of the risks of storing sensitive information, the limitations of manual controls and contact centre infrastructure, and the full scope of PCI compliance requirements.
Instead of relying on the Pause & Resume method, businesses should consider alternative solutions that can help protect sensitive information, while allowing for effective call recording and an uninterrupted customer journey. By taking a comprehensive approach to PCI compliance, businesses can ensure that their contact centre payment operations meet the highest data security standards and protect their customers’ sensitive information.
PCI Pal has published an eBook, which discusses this topic in more depth.
To download a copy of the ‘Pause & Resume Call Recording: Calculating the Risk’ Click Here
PCI Pal® is a leading provider of SaaS solutions that empower companies to take payments securely, adhere to strict industry governance, and remove their business from the significant risks posed by non-compliance and data loss.
Using patented technology, its mission is to safeguard reputation and trust by providing customers with secure payment solutions for any business communications environment including voice, chat, social, email, and contact centre.
PCI Pal is integrated to, and resold by, some of the worlds’ leading business communications vendors, as well as major payment service providers. PCI Pal products can be used by any size organisation globally, and it is proud to work with some of the largest and most respected brands in the world.
For additional information on PCI Pal view their Company Profile