Five Reasons Call Centers Should Abandon ‘Stop/Start’ Systems

If your call center takes customers’ payment card information over the phone, you may very well be relying on an inadequate and outdated practice: stop/start.

Also known as ‘pause and resume’, stop/start refers to a method by which call centers block payment information (and other sensitive data) from call recordings. It involves exactly what its name implies. When customers read their payment card details out loud, the call recording is stopped, paused or muted, either manually by an agent or automatically using computer telephony integration (CTI). The recording is then restarted, resumed or unmuted once sensitive information capture is complete. On the surface, stop/start seems like a logical tactic for securing sensitive data, but in actuality, it creates additional security and compliance risks that jeopardize your customers’ data and your business’ reputation.

Here are five reasons organizations should abandon stop/start:

1.    Only the call recording is taken out of scope…some of the time.
The Payment Card Industry Data Security Standard (PCI DSS) dictates that businesses should not record customers’ Sensitive Authentication Data (SAD), such as three-digit security codes (CID, CVC2, CVV2, etc.). Although stop/start systems intend to prevent the recording of this information, only the call recording itself is taken out of the scope of PCI DSS compliance. If there are any recordings that ‘accidentally’ contain the data, then the call recording system, as well as call center hardware and software, are back in scope. In addition, payment data still touches, and is stored in, various call center infrastructure elements and applications – resulting in many weak links from which card data could be garnered, if a breach occurs.

Even automated stop/start solutions present problems. Although some automatically stop the recording when the agent reaches a payment screen or workflow, the agent is still able to see and hear the information and type it into the screen. While card numbers and security codes aren’t held on the recording, the agent could be writing them down for potential fraudulent use. Or, a compromised machine could have a keylogger nefariously monitoring and collating information. Plus, nearby eavesdroppers could possibly record or jot down the numbers unbeknown to the customer, who may be reading information aloud in a public place like a grocery store or a crowded airport.

2.    It opens opportunities for misuse by agents.
PCI DSS prohibits manual intervention by staff when removing card data from recordings. Card data must be removed from recordings automatically, so manual stop/start systems are non-compliant. Yet, call centers continue to give agents the freedom to stop and start calls, which creates opportunity for illicit behavior to occur while the call recording is paused. This may include copying down information or attempts of social engineering. The agent could also offer unethical advice or engage in high-pressure sales tactics to reach personal or group targets. In fact, research shows that company insiders account for approximately 50% of security incidents, making agent fraud a very real threat. 

To discourage fraudulent agent behavior, many call centers implement ‘clean rooms’, where employees are stringently monitored and are not allowed to have cell phones, internet or email access, writing materials, paper or even bags. It comes as no surprise that these draconian practices contribute to low employee morale and high staff turnover rates.

Of course, not all misuse of stop/start systems is intentional. Even a seemingly simple mistake can put information at risk. For example, agents may unintentionally forget to stop the recording and accidentally log sensitive customer data. This violates compliance regulations, including PCI DSS if security codes are recorded, and it leaves payment data susceptible to a breach. It takes just one agent to forget to press ‘stop’ for sensitive information to be stolen.

3.    Incomplete recordings can impact quality control efforts. 
Just as agents may forget to pause the call, they may also forget to resume it. Not only is there now no evidence of a transaction taking place, but the recording could leave out vital information that may be required to handle transactional disputes, or to demonstrate quality assurance and compliance with regulatory procedures. If the full recording is not available, it could leave companies vulnerable to a lawsuit or claims that agents acted inappropriately while the recording was stopped. Without a full recording, the company has no proof of what took place between the agent and the caller during the time that the recording was paused. With the full recording, all parties are reassured that a complete record exists and resolving conflicts will be quicker and easier. Also, having a record of the entire call can be a valuable tool for employee training. In the end, complete call recordings protect agents from dishonest claimants, and protect organizations from dishonest agents!

4.    The customer journey and experience are negatively impacted.
With manual stop/start systems, agents must take an extra step in the process, which can increase average handling time (AHT). Reading of multiple card numbers, mis-keyed/rekeyed digits and failed payments may lead to many instances of starting and stopping the recording, thus elongating the call and driving up costs.

Yes, technologies like interactive voice response (IVR) systems remove the need for stop/start and take the agent out of the equation, but they can also cause further frustration and lead to poor customer journeys. This has a negative effect on customer satisfaction, contact resolution metrics and even your bottom line. Often, customers don’t know how to correct mis-keyed information using an IVR system, so they hang up the phone. Likewise, the use of an IVR is ineffective for debt collection teams, where callers simply hang up at the point of collection.

5.    Firms are audited against a broken process.
One of the most startling aspects of stop/start is that companies in regulated industries that must record 100 percent of their calls to demonstrate compliance have an incomplete record of the call. Therefore, many are audited against an inherently broken process. This is especially true for companies in the insurance industry, where call recording is often required to show compliance with an increasing number of regulations and even local or state laws. One example of this is found in the UK, where the Financial Conduct Authority (FCA) insists that financial firms, including insurance brokers, must record complete conversations. The organization advocates that full recordings are useful across all sectors that take payments to ensure there are no disputes over the transactions.

With these shortcomings in mind, it is easy to affirm that stop/start is not only a risky practice, but it is just one piece of the PCI DSS compliance puzzle in the call center environment. 

The Solution: De-scope Your Call Center
Instead of struggling with broken processes, forcing agents to undergo extreme security measures, and introducing various new and complex technologies, take a much simpler route: de-scope your call center

De-scoping, or significantly reducing the number of applicable PCI DSS controls, is a much more time and cost-effective solution – and a more robust, holistic strategy against the threat of fraud and data breaches. The most effective way to de-scope the call center is to keep credit card information and other PII out of the business infrastructure altogether. This is accomplished through solutions that allow customers to securely and discretely enter payment card information on their telephone keypad. The numbers are shielded from the agent (and recordings) using DTMF masking, and sent straight to the payment processer – never touching the call center’s systems. Meanwhile, the recording does not need to be stopped and the agent can remain on the line, in full conversation with the customer, to ensure a smooth customer journey. 

Taking a strategic approach to PCI DSS compliance by de-scoping allows you to focus on business as usual, as well as other IT innovations and developments needed to maintain a competitive edge. With de-scoping you can also avoid significant infrastructure costs (like clean rooms) and maintain highly motivated staff. It is even possible to reduce cyber insurance and public liability insurance with this approach. Most importantly, you’ll minimize the risk associated with reputational damage and protect your customers from costly, high-profile data breaches. So why wait? It’s time to put a ‘stop’ to stop/start and de-scope your call center. Your business, and your customers, depend on it.

What’s Hot on Infosecurity Magazine?