Why so-called ‘pause and resume’ systems are not PCI DSS compliant

PCI DSS

Why so-called ‘pause and resume’ systems are not PCI DSS compliant

We know from talking to potential clients that a large number of organizations are still using so called ‘pause and resume’ systems in their contact centers, often in the mistaken belief that these systems will enable them to achieve PCI compliance. Unfortunately that’s not the case.

When we’re asked to help merchants’ IT managers and operations managers with this issue of PCI compliance for MOTO phone payments (mail order/telephone order), they often tell us that they have been (mis)sold pause and resume to ‘make them PCI compliant’.  For this is only half true at best, as it ignores a number of other key compliance issues in the contact center as I’ll discuss below.

It’s only one part of a complicated set of PCI DSS compliance requirements

Pause and resume will not in fact make your contact center compliant.  It will (if used correctly) avoid capturing the card numbers, and in particular the sensitive authentication data (SAD) which the PCI DSS regulations say must not be stored (the security number or CV2/CVV), thus making your call recordings PCI compliant.

But the bulk of the hundreds of PCI DSS controls relevant to the contact center are still not tackled, including those relevant to your agents, their PCs, screen recordings and your network which are still exposed to the card numbers even if you are using pause and resume.

So for instance if your agents are minded to misuse the card data for any reason, they still can; or if you are using unencrypted internet telephony (VOiP) you still remain wide open to hackers listening in and compromising your customers’ card details.  So in short, you are not doing enough to tackle PCI DSS compliance holistically in the entire contact center environment, if you are only introducing pause and resume

It doesn’t sit well with your customer service or other regulatory requirements

Many organizations originally introduced call recordings for monitoring, quality control, training and customer service purposes and not with any thought for PCI DSS regulations.  For those selling financial services it can also be a regulatory requirement to have full length recordings for customer complaint resolution.

So this poses two problems, if you introduce the ability to truncate those call recordings. Firstly, you no longer have a recording of the complete call to go through with the staff member concerned or to deal with any customer issues if needs be, undermining the purpose of having the call recordings in the first place; and secondly, this may also place you in conflict with other regulations.

Agents can misuse pause and resume

Our own independent research survey of a representative sample of consumers indicates that a very high percentage of consumers believe that contact center agents ‘may commit fraud either directly or indirectly by stealing personal data and credit card details’, having been alerted to this danger by constant media reports of such breaches.  This is backed up by the UK’s independent fraud prevention service Cifas which says that “32% of internal fraud cases reported by members were committed in contact centers, with many of these offences involving staff disclosing customer or commercial data to organised criminal third parties”.  And there’s little to stop any mischievous agent abusing the ‘pause’ in a pause and resume system to get the information they want in the way they want it from the customer, with no recorded evidence to catch them, if there is no full length recording of every call to listen to after the event.

If it sometimes doesn’t work, it’s not fit for purpose at all

More often than not though, it’s simply agent error or system malfunction that causes problems with pause and resume systems (so frequently in fact, that we are often told by large merchants that they’ve had to turn theirs off).  If such a system does go wrong, there may not be a pause when the agent is taking the card numbers from the customer, so the numbers are captured in the recording after all and you then have the headache of not knowing which recordings have card data in them and which don’t.  So you can’t even go back and cleanse the legacy data from those recordings and your call recordings are by definition no longer PCI compliant, rendering the system useless.

It solves the wrong problem anyway

The main problem with pause and resume though is that it does not address the key issue of customer trust on which the relationship with them (and thus your brand) depends.

The reality is that consumers don’t like reading their card numbers out over the phone in the first place, which pause and resume doesn’t even begin to address.  In fact, only 1% to 5% of consumers (depending on country) think that ‘making telephone payments to call centers is secure’ according to our research report – and their clear preference is for ‘technology to keep the card data away from agents altogether’ (between 49% and 60%).

So not only is pause and resume only one part of the larger contact center compliance puzzle, it doesn’t begin to address consumers’ fundamental concerns about lack of security in contact centers anyway, which is a commercial problem far beyond PCI DSS regulations.  This is reinforced by  indications from our research that consumers are now even becoming reluctant to conclude the transaction if they have to read out their card numbers, with 36% in the UK (53% in the USA) saying “there have been several occasions in the past year when I have not bought something due to being worried about the security of my payment card or ID details when buying over the phone”.

Consumers prefer a DTMF technology solution

The solution which consumers prefer by a factor of more than 2:1 over pause and resume is DTMF payment technology, where the consumer enters their card numbers using the touchtone keypad of their own phone (dual tone multi frequency). 

So for the merchant, this last revelation is doubly important because not only does a DTMF payment solution such as our proprietary CardEasy ‘keypad payment by phone’ system resolve this overriding issue of customer trust, it stops the sensitive card numbers from entering your contact center at all, so the numbers are no longer visible to agents or audible to them or to call recordings – which means call recordings can now become full length again and your pause and resume system can finally be ‘retired’.

A  DTMF suppression (or masking) system such as CardEasy will resolve nearly all of the PCI DSS controls in the contact center, de-scoping your contact center environment and saving you the time, cost and hassle of PCI monitoring (and audits). It also results in shorter call handling times (AHT) and less mis-keying, as the agent no longer has to take the card numbers down, read them back and then key them in, effectively reducing two procedures down to one and avoiding any mistakes they might make in the process.

Which is why DTMF is now the standard for payments in contact centers, for customer customer experience and trust, for PCI DSS resolution and for hard-nosed commercial reasons. Pause and resume is no longer fit for purpose.