Is Pause and Resume Dead? Yes, it never was the solution to meeting PCI DSS requirements!

PCI DSS V4.0.1 extends further the requirements for securing card payments during storage, processing and transmission. If you’re still thinking that your only issue is call recording, it’s now time to think again and discover why other solutions are now essential for compliance and protecting cardholder data.

For a long time, pause and resume was tabled as a way to meet some of the requirements for PCI and, incorrectly by some, as a way to be compliant. In reality it only ever dealt with storage – but with the release of PCI DSS Version 4.0.1 (effective from December 2024) things have changed and meeting the standards has changed dramatically. Simply put, organizations must fully understand the scope for their environment and map the controls needed and meet the updated standard. Pause and resume may be one of those elements, but V4.0.1 brings changes that necessitate organizations to periodically review many of the requirements. What will you do if your review found card holder data?

Let’s break it down and talk about why that is.

The Problem with Pause and Resume

Here’s the issue. As mentioned, pause and resume only handles the issue of storage; it does not cater for transmission nor processing. Pause and resume can fail. When it does, cardholder data could end up in the wrong place – an unintended channel or system that’s not properly secured. And, when that happens, the data is no longer protected according to PCI DSS standards and suddenly you’re in a compliance nightmare.

If your system fails to pause or resume correctly and data gets stored in an unprotected technology, that system is now in scope for PCI DSS. That data now also falls under PCI DSS rules, meaning you’ll need to secure it, possibly delete it, and implement new measures to ensure it doesn't happen again. 

In short: you’ve just added a whole bunch of extra work, risk, and potential liability to your business.

Manual Pause and Resume Just Won’t Cut It

The reason is simple. It’s too easy for human error to creep in. An agent might forget to pause at the right moment, or they could accidentally resume recording too soon. There's also the issue of system glitches. If anything goes wrong and sensitive card data slips through, it could be exposed – and that’s a huge security risk.

In fact, the PCI DSS V4.0.1 guidance is clear that relying on manual intervention for protecting cardholder data is generally seen as not best practice. In section 5 of the Requirements and testing Procedures - ‘Best Practices for Implementing PCI DSS into Business-as-Usual Processes’ there are a number of steps detailed that are harder to meet if you are replying on Manual intervention. In addition there is the requirement to review hardware and software solutions ‘at least’ every 12 months for effectiveness and support.  Automation in many areas is seen as the best way to meet the needs and the guidance of each requirement. In a nutshell, the “hit or miss” nature of pause and resume just didn’t and still doesn’t cut it.

What Happens If You Fail to Comply?

The consequences of failing to meet PCI DSS compliance are serious. Not only do you risk a data breach – exposing sensitive card information – but you could also face fines, legal trouble, and a loss of customer trust. And in today’s world, that last part is huge. If customers don’t feel like their data is safe with you, they’re not going to keep doing business with you.

The End of Pause and Resume

So what does all this mean? It’s pretty clear that if you are recording calls and have implemented pause and resume as your only protection that isn’t enough. Even if you meet all the other requirements of the standard, the possible failure of pause resume adds risk to both your organization and your compliance. PCI DSS V4.0.1 is steering companies away from outdated approaches and towards more secure methods for handling cardholder data. The idea is to reduce the potential for human error and to ensure that sensitive payment info is handled properly every time, without fail.

This is a positive step, even though it means companies can’t rely on old-school methods like pause and resume. The future is about automation, encryption, tokenization, and other secure, PCI DSS-compliant solutions that don’t leave room for human mistakes.

What You Can Do Instead: The Eckoh Solution

If you’re still relying on pause and resume, it’s time to adopt more robust solutions that ensure PCI DSS V4.0.1 compliance. One of the best ways to do that is to use one of Eckoh’s PCI DSS compliant solutions.

Eckoh provides innovative technology designed to secure payment data without the need for manual intervention. Eckoh’s solutions integrate with your contact center operations to protect cardholder and other sensitive data throughout the entire payment process, automatically, without requiring agents to pause and resume. By using Eckoh’s solutions, you can eliminate the need for manual pause and resume altogether, ensuring that cardholder and other sensitive data is always protected.*

Final Thoughts: Move Beyond Pause and Resume

To put it simply: pause and resume doesn’t cut it and never did. It’s too error-prone, too dependent on manual intervention, and too risky in terms of PCI DSS V4.0.1 compliance. If you want to protect your business and your customers, it’s time to adopt more secure solutions for handling cardholder data.

The shift away from manual pause and resume may seem like a big change, but it’s one that will future proof your business and protect both your customers and your bottom line. So, if you haven’t already, now is the time to embrace the change and move to automated solutions that guarantee compliance with PCI DSS V4.0.1.

*It is worth noting that Pause and Resume has never met the UK Financial Conduct Authority (FCA) requirement to record and retain the entire telephone call.