What is Pause and Resume?

What Is Pause and Resume?

Pause and resume is a method of handling card payments over the phone where the call recording is temporarily stopped while the customer provides their card details, then restarted once the payment is complete. The idea is straightforward: if the recording is paused, card numbers and security codes are not captured in the audio file, which helps with PCI DSS compliance.

This approach became widely adopted in the early days of contact centre payment security because it was simple to understand and relatively easy to implement. An agent presses a button (or triggers a shortcut) to pause the recording, takes the card details verbally, processes the payment, and then resumes the recording. No special hardware or software was initially required beyond basic call recording controls.

How Pause and Resume Works in Practice

The typical pause and resume workflow looks like this:

• The agent reaches the payment stage of the call and clicks a button to pause the call recording
• The customer reads out their card number, expiry date, and security code
• The agent types the details into a payment terminal or virtual terminal
• The payment is processed
• The agent resumes the call recording and continues the conversation

Some more sophisticated implementations automate parts of this process. For example, the recording might pause automatically when the agent opens a payment screen, or resume automatically after a set period. But the fundamental mechanism remains the same -- the recording is switched off during the sensitive part of the call.

The Compliance Problem

While pause and resume removes card data from call recordings, it has several significant limitations that make it a partial solution at best.

The Agent Still Hears Everything

This is the biggest issue. Pausing the recording does nothing to prevent the agent from hearing the card details. The customer reads out their full card number, expiry date, and CVV -- and the agent hears every digit. This means:

• Agents could write down card details or memorise them
• Other people in the contact centre could overhear the information
• Screen-sharing or monitoring tools may capture the data as it is typed
• The entire agent desktop environment remains in PCI DSS scope

Human Error

Pause and resume relies on the agent remembering to press the pause button at the right moment and the resume button afterwards. In a busy contact centre handling hundreds of calls per day, agents will inevitably forget. A single missed pause means card data is recorded in full -- and that recording then becomes a compliance liability.

Studies have shown that manual pause and resume has a failure rate that can be surprisingly high. Even well-trained agents in well-managed centres make mistakes, especially when under pressure to handle calls quickly.

Incomplete Descoping

Because the agent still hears and handles card data, pause and resume does not descope the contact centre from PCI DSS. The agent workstations, the network they sit on, the screens they use, and the telephony infrastructure all remain in scope for PCI assessment. This means businesses still need to meet the full range of PCI DSS requirements across their entire contact centre environment -- a costly and complex undertaking.

Pause and Resume vs DTMF Masking

The key difference between pause and resume and DTMF masking is what happens to the card data during the call.

With pause and resume, the customer reads their card details out loud. The agent hears them, types them in, and the recording is temporarily paused. Card data passes through the voice channel and the agent environment.

With DTMF masking, the customer enters their card details on their phone keypad. The tones are replaced with flat sounds before reaching the agent, so the agent never hears the actual digits. The data is routed directly to the payment processor without ever entering the agent environment.

The practical impact of this difference is significant:

• PCI DSS scope Pause and resume leaves the entire contact centre in scope. DTMF masking descopes it completely.
• Human error risk Pause and resume depends on agents pressing buttons at the right time. DTMF masking works automatically with no agent action required.
• Data exposure Pause and resume still exposes card data to agents. DTMF masking ensures no one in the call chain hears or sees the data.
• Compliance cost Maintaining PCI compliance across a full contact centre is expensive. Descoping with DTMF masking dramatically reduces that cost.

When Pause and Resume Might Still Be Used

Despite its limitations, pause and resume is still used by some organisations, typically because:

• They are in the early stages of improving their payment security and pause and resume is a quick first step
• Their call volumes are very low and the operational overhead is manageable
• They have not yet moved to a more thorough solution like DTMF masking

However, as PCI DSS requirements have tightened -- particularly with version 4.0 -- and as the cost and complexity of maintaining in-scope environments has increased, most organisations are moving toward solutions that remove card data from the voice channel entirely.