Pause and Resume: Is It PCI DSS Compliant? – QSA Q&A with Joe Meyer, NCC Group

In our second installment of our QSA Q&A blog series, Joe Meyer, director of risk management practices, NCC Group, returns to share his thoughts on the practice of “pause and resume” (or stop/start) call recording.

Pause and resume is a method for blocking payment information and other personally identifiable information (PII) from call recordings. When customers read their payment card details out loud, the call recording is paused, stopped or muted, either manually by an agent or automatically using computer telephony integration (CTI). The recording is then resumed, restarted or unmuted once the capture of sensitive information is complete. While pause and resume may seem like a logical tactic for securing sensitive data, it leaves holes in an organization’s security and compliance strategy. Here’s what Joe has to say:

1. Semafone upholds that pause and resume is a broken process for shielding payment card data from call recordings. As a QSA, how do you view this practice?

Frankly, I don’t disagree with that statement, but I caution the implication that it’s not acceptable. The reason is that if an organization is still recording calls without the pause and resume option, then implementing pause and resume is better than nothing. Still, pause and resume is only a partial or “Band-Aid” solution to a much larger problem. To achieve intended and best practices status, removing the credit card from the environment altogether is the way to go. By relying on a customer service representative (CSR) or an application to properly and effectively pause and resume the process, there remains an inherent risk that 100-percent removal of the cardholder data (CHD) is almost impossible to achieve.

2. How do “clean rooms” (where CSRs cannot have cell phones, writing utensils, bags, etc.) fare as an option for removing risks associated with pause and resume? Why are/aren’t they the right route to take?

Implementing clean rooms might seem like a good idea, but they still do not remove the biggest risk associated with a call center: the CSR or agent. With a clean room, there is still an incredible amount of scrutiny that must occur from an assessor to ensure that the clean room and its associated functions are working as intended. By removing the CHD from scope altogether, there is no need to incur the cost of creating or maintaining a clean room.

3. Do you know anyone who went down this route? How did it impact their organization?

The old adage of “half of zero is still zero” applies here. In cases where organizations still record or take credit cards as part of their CHD intake process – and where implementing a removal solution like Semafone isn’t an option – we would like to see the organization, at the very least, move from their the current non-secure/compliant process to using a clean room. However, in these rare cases, the organizations should still have a master plan to eventually remove the CHD from the credit card scope altogether by implementing a solution to do so.

4. What are the biggest risks when it comes to pause and resume?

The dependency and reliance of 100-percent execution. The moment the CSR/agent or the technical component fails, your scope explodes.

5. As a QSA, what do you advise companies to do to reduce the risks associated with pause and resume?

Unfortunately, the only advice is to ensure that the process works 100 percent of the time because the moment it doesn’t, your scope is exponentially increased. If an organization is currently using pause and resume, our recommendation is to consider using a solution, vendor or third-party that can remove the CHD from their environment altogether.

As a third-party solution provider and PCI DSS compliance expert, Semafone can keep CHD (and other sensitive information) completely out of your call center infrastructure. We provide a simpler route to PCI DSS compliance without struggling with broken processes (like pause and resume) or forcing agents to undergo draconian or extreme security measures like clean rooms. Our solution allows customers to securely and discretely enter payment card information on their telephone keypad. The numbers are shielded from the agent – and recordings – using DTMF masking, and sent straight to the payment processer, bypassing the call center completely. This means that the recording does not need to be paused and the agent can remain on the line, in full conversation with the customer.

Semafone thanks Joe Meyer for sharing his insights in the first two installments of our QSA Q&A blog series. To hear more from Joe, check out the recording of our recent webinar, “PCI DSS Compliance & Your Call Center: The Dos and Don’ts of Scope Reduction,” here; and be sure to read Part 1 to this blog series, here. Stay tuned for our next guest!

Pause and Resume: Is It PCI DSS Compliant? – QSA Q&A with Joe Meyer, NCC Group