Implementing PCI-Compliant Secure Pause via Physical SIP Endpoints

How-To-Articles
1

Implementing PCI-Compliant Secure Pause via Physical SIP Endpoints

Executive Summary & Architectural Context

Payment Card Industry Data Security Standard (PCI-DSS) regulations mandate that the 3-digit CVV code on a credit card must never be stored in audio or text format. When an agent takes a credit card payment over the phone, the contact center’s call recording system must be paused to prevent the Sensitive Authentication Data (SAD) from being written to disk.

While Genesys Cloud provides an automated “Secure Pause” API and a manual button in the web UI for agents to pause the recording, these solutions fail when agents are using Physical SIP Hardphones (e.g., Polycom, AudioCodes, Yealink) operating independently of the Genesys Cloud desktop interface.

The architectural solution is to configure Secure Pause via DTMF (Dual-Tone Multi-Frequency). This allows an agent using a physical desk phone to press a specific key sequence (e.g., *8) on their physical dial pad to signal the Genesys Cloud backend to instantly pause the call recording and analytics engines. This masterclass details the configuration of DTMF secure pause and the security implications of tone suppression.

Prerequisites, Roles & Licensing

  • Licensing: Available on all Genesys Cloud CX tiers.
  • Roles & Permissions: Telephony > Phone > Edit, Telephony > Base Settings > Edit.
  • Platform Dependencies:
    • Physical SIP phones provisioned and registered to the Genesys Cloud Edge.

The Implementation Deep-Dive

1. Activating DTMF Secure Pause at the Trunk/Phone Level

Genesys Cloud must be instructed to listen for specific DTMF tones mid-call.

  1. Navigate to Admin > Telephony > Phone Management.
  2. Go to the Base Settings for your physical phones (e.g., Polycom VVX 411).
  3. Under the Media or Features tab, locate the Secure Pause setting.
  4. Enable DTMF Secure Pause: Toggle to ON.
  5. Start Sequence: Define the digit string the agent will press to pause the recording (e.g., *8).
  6. Stop Sequence: Define the digit string to resume the recording (e.g., *9).

2. Defining the Pause Duration (The Safety Net)

Agents will inevitably forget to press *9 to resume the recording after the payment is processed. If the recording isn’t resumed, the remaining 10 minutes of the customer interaction will be lost, crippling your Quality Management (QM) processes.

  1. In the same configuration menu, locate the Secure Pause Duration.
  2. Set this to a strict mathematical limit based on your AHT for payment processing (e.g., 60 seconds or 90 seconds).
  3. Logic: The agent presses *8. The recording stops. The agent takes the card number. After exactly 60 seconds, Genesys Cloud automatically resumes the recording, even if the agent forgot to press *9.

3. The Analytics Suppression Requirement

Pausing the audio recording is only half the battle. If you have Speech and Text Analytics enabled, the transcription engine is actively listening to the call. If the agent repeats the credit card number back to the customer to confirm it (“I have 4111…”), the transcription engine will print the card number in plain text in the analytics database.

  • The Architecture: By design, triggering the Secure Pause in Genesys Cloud (whether via the UI API or DTMF) automatically suspends both the audio recording engine AND the real-time transcription engine simultaneously. No custom Architect flows are required to sync these states.

Validation, Edge Cases & Troubleshooting

Edge Case 1: In-Band vs. RFC 2833 DTMF

If an agent presses *8 on their Polycom phone and nothing happens, the DTMF tones are not reaching the Genesys Cloud Edge correctly.

  • The Cause: The physical phone is likely sending DTMF “In-Band” (as literal audio beeps within the RTP stream). The Genesys Cloud Edge might be configured to expect “Out-of-Band” DTMF via RFC 2833 / RFC 4733 (digital signalling packets).
  • Solution: Ensure your Phone Base Settings and your Carrier Trunk settings are perfectly aligned on the DTMF Payload Type (usually Payload 101). Force the physical phones to use RFC 2833, ensuring the Edge can mathematically intercept the *8 string instead of treating it as background noise.

Edge Case 2: Tone Suppression (The “Bleed-Through” Risk)

When a customer types their credit card number on their phone keypad, those DTMF tones travel across the network. If your recording system captures the tones, malicious actors can use audio software to reverse-engineer the credit card number from the pitch of the beeps.

  • The Architecture: Genesys Cloud automatically performs Tone Suppression. Regardless of whether Secure Pause is active, if the Genesys Cloud Edge detects DTMF tones arriving from the customer leg of the call, it actively filters them out of the .wav recording file.
  • Caveat: If you are using a BYOC Premise setup and your local carrier does not use RFC 2833 (meaning they send raw in-band audio beeps), the Edge’s tone suppression algorithm might miss extremely fast or distorted beeps, leading to compliance violations. Always demand RFC 2833 from your local carrier.

Official References