The recently updated PCI DSS v4.0.1, effective from December 2024, introduces new guidance that could significantly impact the way businesses use pause and resume of call recordings as a method of trying to secure their customers’ sensitive payment card data. This update highlights evolving requirements for securing cardholder data, focusing on mitigating risks tied to unintended communication channels.
Let’s break down what this update means and why it signals the end for pause and resume as a viable security practice—and why customers, as well as compliance teams, will welcome the change.
The new guidance on unintended channels
According to PCI DSS v4.0.1, organizations must address situations where they inadvertently receive cardholder or sensitive authentication data via an insecure and unintended channel. The update specifies two options for handling such scenarios:
- Include the channel in the scope of the Cardholder Data Environment (CDE) and secure it according to PCI DSS standards.
- Securely delete the data and implement measures to prevent the channel from being used again for transmitting sensitive information.
This new requirement emphasizes proactive prevention and remediation, leaving little room for ad hoc or unreliable solutions.
The risks of pause and resume under the new guidelines
Pause and resume is still used in many contact center environments, despite leaving customers’ card holder data exposed in several ways. Call recordings are paused when sensitive information is shared and resumes once the exchange is complete. While it may seem like a straightforward way to avoid recording sensitive data, this method has inherent risks:
- If pause and resume fails: Failures in pause and resume systems – whether manual or automated – are common and can result in sensitive data being recorded and stored in unintended channels, such as call recordings. Under the updated PCI DSS requirements, this would require the organization to:
- Bring the affected channel into scope and secure it.
- Securely delete any recorded data.
- Implement measures to prevent recurrence.
- Manual pause and resume is no longer viable: The guidance makes clear that “hit and miss” solutions like manual pause and resume are inadequate. Human error or process gaps can lead to compliance breaches, exposing organizations to significant security and regulatory risks.
Pause-and-resume: The invisible process customers can’t see
It’s not just about compliance – pause and resume creates a suboptimal customer experience as many customers are uncomfortable handing over their sensitive details like payment information to contact center agents, especially in environments where they perceive security to be a concern.
Moving away from pause and resume demonstrates a serious commitment to customer security and privacy. By adopting technologies that eliminate the need to give contact center agents sensitive details, organizations can:
- Build trust and confidence with their customers.
- Deliver a seamless and more professional interaction.
- Minimize friction in the payment process.
The compliance benefits of moving beyond pause and resume
Beyond improving the customer experience, moving away from pause and resume simplifies compliance. Advanced systems that de-scope sensitive data from PCI DSS requirements make achieving and maintaining compliance much easier compared to relying on outdated methods.
With pause and resume, organizations remain “on the hook” for:
- Costly and time-consuming PCI audits to ensure compliance with stringent standards.
- Managing ongoing risks to the Card Data Environment (CDE), including exposure to hacker attacks or internal threats like coercion of contact center agents.
By contrast, solutions such as CardEasy prevent sensitive data from entering your environment in the first place and can drastically reduce your compliance burden while enhancing overall security and customer experience.
What’s next for organizations?
For organizations relying on pause and resume, it’s time to reassess your data security and compliance strategies. The risks of failure and the costs of remediation under the new guidelines far outweigh the convenience of legacy methods.
Organizations that move beyond pause and resume not only future-proof their compliance strategies but also demonstrate to their customers they’re serious about protecting their data. By eliminating sensitive data exposure from the start, companies can streamline compliance, enhance security and deliver a superior customer experience.
