Why Pause and Resume Call Recording Isn’t Enough
Call recording is an essential process for many contact centres. It allows businesses to monitor, train, and evaluate the quality of their customer service interactions, which can be critical for maintaining customer satisfaction and loyalty and is a regulatory requirement for some industries. Many contact centres handle customer payments, and when it comes to call recording, these businesses need to be aware of the PCI compliance implications around any Pause and Resume call recording solution.
Pause and Resume is a feature that allows contact centre agents to temporarily halt the recording of a call, typically when sensitive information, such as credit card data, is being exchanged. This feature is often promoted as a solution for achieving PCI compliance. However, Pause and Resume solutions can expose organizations and contact centres to unnecessary risk, threats and non-compliance.
THE RISKS OF STORING SENSITIVE INFORMATION
When a call is paused, the sensitive information being exchanged during the call is still being stored in the system, albeit temporarily. The temporary storage of sensitive information increases the risk of data breaches or unauthorised access, especially if the data is not encrypted or secured correctly. While Pause and Resume might prevent sensitive information from being recorded, it does not eliminate the risks of storing such data.
- The limitations of manual controls
A Pause and Resume solution relies on manual controls, meaning that the agent needs to remember to pause and resume the recording at the appropriate times. This creates the risk of human error, which can lead to non-compliance and potential breaches. Furthermore, manual controls can easily be overridden, intentionally or unintentionally, putting sensitive information at risk and increasing the pressure on the agent.
- The limitations of contact centre infrastructure
Pause and Resume solutions depend on the capabilities of the organization’s infrastructure, such as the recording system and the telephony platform. If the infrastructure cannot support pause and resume functionality, or if the feature is misconfigured, the ability to pause and resume recordings may not be available, resulting in non-compliance and an increased risk of data breaches.
- The limitations of PCI compliance requirements
PCI compliance is not just about pausing and resuming call recordings. There are many other requirements that businesses need to meet to be fully compliant, such as maintaining secure networks, regularly monitoring and testing security systems, and providing ongoing security training to staff. Using Pause and Resume for call recording does not address these other requirements. Therefore, businesses could still be at risk of non-compliance and data breaches. At best, Pause and Resume would mean that your call recordings are PCI compliant, but that still leaves your infrastructure and agents in-scope of PCI DSS.
With more organizations operating remote or hybrid working, the Pause and Resume process does not descope agents or agents’ desktops unless a clean room environment is enforced. Ensuring work environments are threat-free is challenging to administer or control remotely. Meaning sensitive payment data could be captured or stored illegally if the agent neglects to pause, or employees could even capture the data.
While the Pause and Resume function may seem like a simple solution for achieving PCI compliance, more is needed. Businesses that rely on call recording for their operations need to be aware of the risks of storing sensitive information, the limitations of manual controls and contact centre infrastructure, and the full scope of PCI compliance requirements.
Instead of relying on the Pause and Resume method, businesses should consider alternative solutions such as DTMF (Dual Tone Multi-Frequency) Masking Technology, which can help protect sensitive information while allowing for effective call recording and an uninterrupted customer journey. By taking a comprehensive approach to PCI compliance, businesses can ensure that their contact centre payment operations meet the highest data security standards and protect their customers’ sensitive information.
Take a look at our updated eBook, which discusses in depth why Pause and Resume is not an adequate method to descope businesses from the requirements of PCI DSS and which technologies organizations should be implementing to protect against data breaches, achieve regulatory compliance and boost CX.