Pause and resume recording for PCI DSS compliance

'Pause-and-resume’ call recording is a longstanding solution used by many customer-service operations to prevent the storage of customer-card data within call archives systems.

The motivators for this are PCI DSS requirements prohibiting the storage of card validation codes in any searchable or recognizable form (whether encrypted or not), and mandating rigorous protection measures for account numbers.

To avoid capturing and storing card data, recording is halted while payment details are provided, and resumed again afterwards.

Pause-and-resume solutions fall into two categories:

Agent-initiated pause-and-resume

• Basic implementations of pause-and-resume rely on agents to manually stop and re-start call recording.
  
  
• A variation on agent-initiated pause-and-resume sees recording resume automatically after a set timeout period.

Automated pause-and-resume

• Automated pause-and-resume solutions integrate with agent desktop systems used to take payment details, stopping and re-starting recording without agent intervention, depending on the screen that is in use.
  
• Alternatively, the call-recording system will be paused and resumed through an add-on system which monitors the applications in use by the agent.

Advantages 

Technology managers are all too familiar with the pain caused by conflicting business and regulatory requirements. The compelling quality, risk management and compliance drivers for call recording clash with PCI DSS requirements for protecting customer’s card data.

Pause and resume technology, at its best, goes some way towards helping contact centers meet all these conflicting regulatory, industry and business requirements.

Pause-and-resume recording requires no change to the way that calls are handled by agents, who can continue to maintain customer contact during the payment process, maximising customer satisfaction and reducing failed transactions.

Disadvantages

Agent initiated pause-and-resume has several pitfalls:

• Relying on agents to manually pause-and-resume recording places the day-to-day responsibility for PCI DSS compliance at the front line. Unsurprisingly, this leads to non-compliance with both PCI and data recording requirements, as busy agents sometimes forget to stop or start recording.
  
• The system is open to deliberate abuse by agents.
  
• Automatic resumption of recording runs a very real risk of capturing card data, and omitting information that should be recorded, when payment does not have the exact duration specified.
  
• Most seriously, the use of agent-initiated pause-and-resume is not PCI DSS compliant. The PCI Standards Security Council advises that call centers should “remove sensitive authentication data from their recordings, automatically (with no manual intervention by your staff)”.

Automated pause-and-resume is a more reliable approach to PCI DSS compliance. However, it still has the following disadvantages:

• Even the most sophisticated pause-and-resume solutions have a negative impact on risk management and compliance. Omitting to record the payment section of a call complicates fraud investigation and dispute resolution, and may mean non-compliance with national regulations which require that transactions are recorded.
  
• Performance management is also affected as organizations can lose visibility over the factors leading to successful or failed transactions.
  
• It is a complex solution, requiring seamless co-operation between call recording, agent-desktop and call-management systems to ensure card data does not leak into storage systems.
  
• Organizations may need to move to a new call recording platform if their existing system doesn’t provide APIs for automated pause-and-resume, representing a considerable expense.
  
• The growing number of organizations using screen recording as well as call recording must choose a pause-and-resume solution which integrates with their screen-recording technology, adding another layer of complexity, or implement measures to obscure card details, making them easy to mistype.

Wider solutions

Fundamentally, pause-and-resume solutions form part of a ‘sticking plaster’ approach to PCI DSS compliance, at best preventing non-compliance for call recording and storage systems only. Because they operate in an environment where agents and other internal systems are still exposed to card data, complex and expensive measures must be implemented to enable a contact center to achieve PCI DSS compliance.

Solutions such DTMF suppression and IVR-based payments offer an alternative appproach, with the possibility of excluding payment card information from the contact center entirely, significantly reducing the burden of compliance.