The problem with Pause and Resume
PCI-DSS compliance insists that sensitive payment card information must be protected. However this can cause businesses a headache if they record calls for training or monitoring purposes as the card data can be captured, causing a conflict with compliance.
To combat this problem and to avoid capturing sensitive authentication data (SAD) such as the 3 digit security number on the back of the card, many companies use the 'Pause and Resume' call recording method. This can either be a manually or automatic system.
This however, causes its own problem as it undermines the very reason calls are recorded. The call recording is there to provide an unequivocal record of what conversations took place over the telephone. A gap in this record creates doubt. What was said during this time? If a customer is claiming a policy or product was mis-sold or they were misinformed in some way, a complete record to refute this claim no longer exists.
This is especially relevant to financial services industry. The Financial Conduct Authority (FCA), the UK regulator for the financial services industry, demands that service providers keep sufficient detail of their transactions. The rules in COBS11.8 oblige firms to retain records of specific telephone conversations and electronic communications of client order services that relate to the reception, transmission and execution of client orders and proprietary trading. In insurance contact centres, FCA recommendations are met by recording calls. So in order to comply with PCI-DSS regulations, some contact centres simply pause recordings while the while card information is read out, and resume recording once the payment process is complete. This again creates a window of uncertainly should a customer raise a complaint or concern.
In addition a common myth is that 'Pause and Resume' call recording removes you from scope. On it's own it does not.
The call recording element is taken out of scope, but the rest of your environment remains in scope and must form part of your audit.
The PCI Security Standards Council do not regard Manually activated Pause and Resume methods as being compliant.
By using our SOTpay solution, no sensitive payment card information enters your environment, thus supporting full PCI DSS compliance and removing your contact centre from scope.
This means that the entire conversation can be recorded, complying with both PCI DSS and FCA guidelines and regulations and proving a useful tool in consumer disputes.
What makes it even better is that SOTpay is cloud based, which means that no expensive hardware or amendments to your current telephony solution are required.