Is Pause and Resume PCI Compliant?
Any business that takes card payments over the phone must comply with the Payment Card Industry Data Security Standard (the PCI DSS), which states that sensitive authentication data MUST NOT be stored, even if encrypted.
The repercussions for non-compliance are hefty fines, serious reputational damage, increased compliance costs and, in some cases, withdrawal of card payment facilities.
This causes a problem for the large number of businesses who are required to store a record of each call to comply with regulations associated with their particular industry (for example certain companies within the financial sector who are obliged by the FCA to keep FULL recordings of their calls for at least six months from the date the record was created).
To avoid breaching any regulations, many contact centres manually pause and resume their call recordings to (if used correctly) avoid capturing any card details on a recording and to become compliant with the PCI DSS.
Unfortunately, they’re not. Here’s why:
- Avoiding capturing card details in a recording is only one part of a very complicated set of PCI DSS requirements. It doesn’t stop your agents, your PCs, your screen recordings, your network and even your CCTV from being exposed to those card details.
- Manual pausing is unreliable, and even one mistimed pause causes you to be in breach of PCI compliance. Card details might be read out un-prompted by a customer or they could say something important while the recording is paused and the information could be missed.
- Most importantly of all, the PCI DSS guidelines themselves require that card data is removed from recordings “automatically”, aka. with no way for staff to interfere with the process at all.
Automated pause and resume comes with its many complications too. One of these relates to the security of not just the data, but the agents who have access to it. 90% of enterprise business suffered an information security breach last year, and 75% of these involved an insider.
Luckily there are other options available to contact centres taking card payments today.
In this week’s personalised web conferences, we’re discussing the ways that contact centres can take card payments without being in breach of the PCI DSS.