Understanding the Impact of Pause and Resume on PCI DSS Compliance

As per usual, this article is the result of a recent conversation at a networking event, and I wanted to put it down in writing to help provide some clarity based on my thoughts. Even though the initial topic had nothing to do with PCI DSS, it unavoidably made its way into the discussion, as it often does. Reflecting on that conversation, I’m sharing insights drawn from the PCI Security Standards Council’s Information Supplement, “Protecting Telephone-Based Payment Card Data.”

This article can be used in conjunction with my previous one about "Achieving PCI DSS Compliance in Contact Centers: Navigating VoIP, Cloud Services, and Telephony Security Solutions" which provides a view on compliance, business impact and Cloud Providers.

Note - While writing this article, I was considering the interchangeable use of terminologies such as "Call Centre" vs. "Contact Centre." I asked AI, as you do, and it provided the following information:

The difference between a call centre and a contact centre primarily lies in the communication channels they manage:

1. Call Centre: Focuses exclusively on handling customer interactions via voice calls, whether inbound (customer calls) or outbound (agent calls). Call centres typically manage phone-based customer service, support, sales, and queries, making it a single-channel environment.
2. Contact Centre: Encompasses multiple communication channels beyond voice calls, including email, live chat, social media, SMS, and sometimes video chat. Contact centres support an omnichannel approach, allowing customers to choose their preferred communication method, and often include tools for managing these interactions in an integrated system.

In essence, a contact centre provides a more versatile, multichannel customer support experience, while a call centre is dedicated specifically to phone-based interactions.

So, in my next article, I plan to discuss the use of Chat in "Contact Centres" and the acceptance of credit and debit card payments, as well as how this affects PCI Scope. keep an eye out for more details. Anyway, moving on...

Pause and Resume for PCI DSS Compliance in Call Centres

For call centres handling payment data, implementing PCI DSS-compliant processes is essential. Pause and Resume functionality is frequently used to prevent sensitive cardholder data from being captured in call recordings by stopping the recording when payment data is provided, then resuming afterward. While this can help reduce PCI scope by removing sensitive data from recordings, it’s important to recognise the broader implications for PCI DSS compliance. Specifically, Pause and Resume only addresses the PCI DSS requirement for the storage of cardholder data, but telephony systems, as a whole, remain in scope and must be secured accordingly.

1. Telephony Systems and PCI DSS Scope

In environments where cardholder data is processed over the phone, telephony systems fall within PCI DSS scope. Any part of the infrastructure involved in capturing, transmitting, or processing sensitive card data, including voice calls, must comply with PCI DSS requirements. This includes telephony systems used to manage VoIP or traditional calls carrying cardholder data, as these systems have the potential to expose sensitive information if not properly secured.

Even with Pause and Resume in place, telephony systems remain in scope because:

• Live Transmission of Data: The live handling and transmission of cardholder data still occur over the call network. While Pause and Resume prevent data storage, they don’t address the transmission of sensitive information through telephony channels.
• Vulnerable Points of Access: Telephony systems, including VoIP, PBX, and contact centre infrastructure, require controls to protect cardholder data against unauthorised access during the transmission and handling phases of the call.

Thus, while Pause and Resume helps limit the storage of card data within call recordings, it does not exempt telephony systems from broader PCI DSS requirements related to securing cardholder data during live transmission.

2. How Pause and Resume Impacts PCI DSS Compliance Scope

Pause and Resume can help reduce PCI scope by addressing only one specific PCI DSS requirement:

• Requirement 3 – Protect Stored Cardholder Data: By implementing Pause and Resume, organisations ensure that cardholder data is not captured within call recordings, meaning these recordings no longer need to meet the PCI DSS requirements for stored data. This includes bypassing requirements related to encryption, access controls, and storage protections for cardholder data.

However, Pause and Resume only removes the PCI DSS requirement for the storage of cardholder data. It does not remove other PCI requirements that apply to the telephony infrastructure handling live or transmitted data.

3. PCI DSS Requirements Still in Scope for Telephony Systems

With Pause and Resume in place, certain PCI DSS requirements remain relevant to the telephony systems and live handling of cardholder data:

• Requirement 1 – Install and Maintain a Firewall Configuration to Protect Cardholder Data Telephony systems, including VoIP, must be protected by firewalls to prevent unauthorised access to live data transmissions containing sensitive cardholder data.
• Requirement 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks The transmission of cardholder data over telephony channels, such as VoIP, must be encrypted when crossing open or public networks to prevent interception. VoIP systems, in particular, require secure encryption protocols to ensure data remains protected during transmission.
• Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know Access controls must be in place for telephony systems to ensure that only authorised personnel can interact with live calls involving cardholder data. This helps prevent unauthorised access to cardholder data in real time.
• Requirement 10 – Track and Monitor All Access to Network Resources and Cardholder Data Any access to telephony systems that interact with live cardholder data must be tracked and monitored. Organisations need to audit and log access events for compliance and to detect potential security breaches.

Note: The above is not meant to be an exhaustive list of all PCI requirements; it's just an example of a few. Talk to your QSA with telephony knowledge for a full listing.

4. Risks and Challenges with Relying Solely on Pause and Resume

While Pause and Resume effectively limits the storage of cardholder data, it introduces several challenges and does not fully address PCI compliance for live data handling:

• Human Error Risks: If agents manually activate Pause and Resume, there is a risk of human error—agents may forget to pause, resume too early, or miss steps entirely. Such mistakes can result in unintended recording of sensitive data, creating potential PCI DSS violations.
• Limited Coverage of PCI DSS Requirements: Pause and Resume only covers the recording storage aspect, leaving the rest of the telephony system within PCI DSS scope for real-time data handling. Therefore, organisations must still implement encryption, access controls, and monitoring for telephony systems handling live cardholder data.
• Inconsistent Implementation Across Channels: In environments with multiple communication channels (e.g., chat, email, digital interactions), it can be challenging to ensure that Pause and Resume functions effectively for all channels, particularly in omnichannel contact centres.

5. Lets not forget Legacy Call Recordings

Many years ago, when I was an active QSA, I came across my organisation's legacy call recordings. It's possible that they were unaware of the existence of PCI DSS. It was always a surprise to them that these calls could be in scope of the PCI Standards.?

Legacy call recordings can present unique challenges for PCI DSS compliance, particularly if they contain sensitive cardholder data (CHD) that was recorded before the implementation of Pause and Resume. These recordings fall within PCI DSS scope if they contain CHD or sensitive authentication data (SAD) and must be safeguarded accordingly. However, managing and securing legacy recordings can be complex, especially if redaction or secure deletion is not feasible.

Scope Implications: Any stored call recordings that contain unredacted CHD/SAD automatically extend the PCI DSS scope. Such recordings must be treated as sensitive data assets and protected following all PCI DSS requirements for storage, access control, monitoring, and encryption. This can increase the burden of compliance, as legacy recordings may reside across various storage systems or lack modern security controls.

Redaction Challenges: If redacting CHD/SAD from legacy recordings is not technically viable, organisations are faced with the continued responsibility of managing these recordings within PCI DSS scope. This may require substantial operational changes to ensure compliance, including limiting access to authorised personnel, implementing encryption protocols, and conducting regular security reviews to verify that these controls are in place.

Compensating Controls: When redaction is not possible, compensating controls must be implemented to mitigate the risks associated with unredacted CHD/SAD in legacy recordings. Compensating controls for legacy call recordings might include:

1. Enhanced Access Controls: Restrict access to the recordings to only those with a legitimate business need, and implement stringent authentication measures.
2. Encryption: Apply encryption to recordings at rest to protect data from unauthorised access.
3. Regular Monitoring and Auditing: Establish monitoring and audit protocols to track access and actions related to the legacy recordings, helping to quickly identify and address any security incidents.
4. Physical Security for Storage Media: Ensure that any physical media (e.g., tapes, hard drives) containing legacy recordings is securely stored, with restricted access and clear disposal processes.

Documenting the Compensating Control: Organisations must document and justify any compensating control in alignment with PCI DSS requirements, ensuring that it not only meets the original security control's intent but goes above and beyond. This documentation should include a risk assessment, a clear rationale for the control choice, and details on how it sufficiently mitigates the risks associated with storing CHD/SAD in unredacted recordings. Your QSA will validate this, and you may need to collaborate with your acquiring organisation to guarantee their comprehension of the risk involved. I know we could have a whole article on this, but this is not the time or place :).

In summary, legacy call recordings with unredacted CHD/SAD bring additional compliance and security challenges. Where redaction isn’t feasible, implementing and documenting compensating controls is essential to minimise risk and meet PCI DSS obligations for these data assets. I have known organisations to make the decision to delete legacy recordings even when they are regulated, as the cost of securing them far outweighs the cost of any associated fines.

Conclusion

I'm hoping to have put to rest one of the most common misconceptions that with pause and resume your PCI scope dissapears and that you are compliant. Although Pause and Resume can effectively eliminate the PCI DSS requirement for cardholder data storage, it only partially fulfills the PCI compliance requirements for call centres. Telephony systems remain within PCI scope because they still handle live cardholder data during transmission, necessitating encryption, access controls, and monitoring.

While this article focuses on technologies like Pause and Resume, it’s essential to remember that people and processes are always in PCI DSS scope too. Effective security relies not only on technology but also on trained personnel following robust procedures to protect cardholder data. Every agent handling sensitive information and every process guiding them plays a critical role in maintaining compliance. And while we’re exploring technology advancements, the human element remains crucial—at least until AI eventually steps in to handle it all for us!

Organisations using Pause and Resume should be aware of its limitations and might want to consider additional measures like DTMF masking, secure IVR, and tokenisation to ensure comprehensive PCI DSS compliance across all telephony systems. Combining these tools with robust access control and monitoring policies will help protect sensitive cardholder data throughout the entire call process, from live handling to transmission and storage.

ASK - I'd love to hear your thoughts on the matter and the conversations you've had about Pause and Resume. Also, whilst I haven't mentioned it, it's the big one I get asked regularly, and where the answer is, "it depends", which SAQ do we fit into? SAQ A, C, or D?

PCIDSS #Compliance #DataSecurity #CallCentres #CyberSecurity #AI #PaymentSecurity #FinTech #RiskManagement #CustomerExperience #DataProtection #CyberRisk #TechInnovation #SecurePayments

Disclaimer:

The views and opinions expressed in this LinkedIn article are solely my own and do not necessarily reflect the views, opinions, or policies of my current or any previous employer, organisation, or any other entity I may be associated with.