The Payment Card Industry Security Standards Council (PCI SSC) advises that to be PCI Compliant cardholder data should never be stored. You’re trying to prevent data breaches but you want to record your calls to assist with WFO, customer experience, customer service… Simple answer ‘Pause and Resume your call or screen recordings’ but does this make you compliant and is it worth the risk?
In our webinar ‘Compliance in the contact center: four misconceptions around compensating controls’ we looked at a number of different methods employed in contact centres as a compromise. Of all these, pause and resume is the most popular but also comes with its own downfalls and problems. Let’s look at these in more detail.
At the point of payment either the agent will pause and resume the call (manual) or key words will trigger this to happen (automatic.) During busy periods, agents could quite easily forget to pause the call meaning card data will be recorded and stored illegally. An automatic system removes placing the onus on the agent, but they cannot be relied on to work 100% of the time. Information can easily be missed, which in the case of a dispute would be extremely problematic. Moreover, if there was an investigation run by a regulatory body they would expect full recordings. If these aren’t provided you could risk reputational damage if it became public knowledge.
This also doesn’t address the issue of hackers and employees. Verizon’s 2015 Data Breach Investigations Report revealed that 50% of security breaches are caused by insiders. As the details can still be heard, they can still be recorded!
When these aspects are taken into consideration, pause and resume is not a compliant or low risk solution, so what is?
DTMF- masking technology like Agent Assist is a viable solution. Card details are entered via the telephone keypad. The tones are suppressed both audibly and visually, the agent and the customer remain in contact the entire time, and once the card details are entered they are sent to the payment provider to be processed and completed. This means that it is impossible for potential hackers and insiders to obtain card details, there is no manual intervention and the sensitive card data never hits your network meaning your contact centres are ‘descoped.’ Because of this, the call can be entirely recorded, meaning compliance with other regulations too
Your customers enjoy peace of mind regarding their card data security and, the AHT deceases as the agent / customer remain in conversation throughout the process.
With data breaches increasing year on year and hackers deploying more sophisticated ways to get their hands on sensitive data you have to ask yourself; do the benefits of pause & resume outweigh the risks?
To discuss how PCI Pal can assist you on de-scoping you contact center get in touch with us.