How to Protect Sensitive Amazon Connect Recordings in Amazon Transcribe


When your contact center handles sensitive payment information en masse, it’s critical to maintain PCI compliance. The right contact flow empowers agents to disable recording while taking sensitive information so that data never even reaches storage. 

Key Takeaways

  • PCI compliance is a major concern for contact centers that accept credit card information from customers. 
  • The best way to protect sensitive data is by preventing its storage in the first place using contact flows in Amazon Connect. 
  • Agents can enable secure entry using a quick connect contact flow to temporarily stop recording while customers provide sensitive data. 
  • Contact centers can opt-out of sharing data with Amazon Web Services for an added layer of security. 
  • Teaming up with a member of the AWS Partner Network will ensure smooth implementation and maintenance of Amazon Connect contact flows. 

Accepting private and personal information is part of operating all contact centers — if not credit card numbers for payments or refunds, then it’s billing addresses or other personally identifiable information (PII). Payment card industry (PCI) compliance standards are rigorous to keep that critical data private and secure for the duration of its storage, but the payments industry is no stranger to data breaches. 

These are just three of the dozens of PII leaks that happened in 2020:

  • Prestige Software: This hotel reservation platform leaked personally identifiable information belonging to over 10 million guests who booked their reservations through Expedia,, or
  • JM Bullion: The e-commerce precious metals brand was affected by malware that collected names, addresses, and credit card details (including account numbers, expiration dates, and security codes) of an unknown number of users.
  • Twitter: In June 2020, a security breach exposed PII and payment information belonging to an unspecified number of business accounts, including the last four digits of the user’s payment card, as well as phone numbers and email addresses. 

Complying with the Payment Card Industry Data Security Standards (PCI DSS) ensures that your data security practices are up to the highest standards in the industry. 

Still, data breaches happen with even the most secure contact center systems. What if the best way to protect your customers’ most sensitive information is by preventing its collection during conversations in Amazon Connect

Protect sensitive data at the agent level

As soon as a customer speaks their details into the phone (or types them into the chat window), that data is potentially at risk. No matter how foolproof your Amazon Web Services security setup may be, there is always the potential for new vulnerabilities and malware to crop up.

With that in mind, there’s a natural conclusion: A customer’s payment details and PII are only safe when they aren’t collected anywhere except temporarily during the point-of-sale. 

To opt-out of recording personal information in recordings and transcripts, there needs to be power at the agent level to begin a secure conversation in Amazon Connect. 

Agents control secure data entry for callers 

Amazon Connect supports contact flows with Hold agent blocks. Creating such a block lets agents click one button to enable a temporary secure session for the customer to enter their details with the agent and the recording both on hold. After, the call (and recording) resume at the point where they stopped. 

What this means for PCI compliance

When they’re used correctly, contact flows and hold blocks reduce the likelihood of compromising PII substantially — there’s no potential for a data leak if you aren’t saving and storing the information in the first place (human error aside). 

This makes PCI compliance much simpler — you’re storing less data and, ideally, not storing credit card numbers at all (your credit card processor should be the only entity that receives that information, so it’s not even stored in your own database). 

How to stop Amazon Connect recordings during customer input

The procedure for putting a recording and agent on hold while customers enter payment data (or other secure information) is simple, requiring only that you configure settings for recording, audio prompts, and customer encryption; and create a new contact flow and quick connect instance. 

Here’s how in eight steps: 

H3: Step 1: Set call recording behavior

Create a Set call recording behavior block to an existing contact flow that you want to use and assign permissions to the agents and supervisors who will use the feature. To do so, open the contact flow from a user account that has permissions, then select Routing > Contact flows and select Set call recording behavior. 

H3: Step 2: Create a new contact flow

From the left navigation bar, select Routing, then Contact flows. Choose Sample secure input with agent and save the contact flow. This creates a contact flow that transfers the agent to a hold queue on demand. 

H3: Step 3: Configure audio prompt settings

Select the Store customer input block title to open the settings menu, then choose Prompt and specify the prompt that plays when the customer enters the secure part of the call. Under Customer input, configure the Custom or Phone number input that links the customer to their profile. 

H3: Step 4: Name the customer contact attribute

Choose the Set contact attributes block and select Use attribute under Attribute to save. Enter a name to reference the Destination key and click Save, then Save and Publish the contact flow. 

H3: Step 5: Create a quick connect 

Find Routing on the left menu and choose Quick Connects, then Add new. Enter the Name, choose Queue as the Type, and select BasicQueue for Destination. Designate the Transfer to queue contact flow from earlier to the Contact flow field, then Save

H3: Step 6: Enable the agent queue

Go back to Routing, then choose Queues and select the queue you want to use. Under Quick connects on the Edit Queue page, select the quick connect you want to use and Save. 

H3: Step 7: Make an incoming test call 

Make an incoming call to an agent who will use the system and have them use the quick connect to start a secure session for PII entry. The recording should automatically pause when the caller enters the session and resume when the agent picks up the call again. 

H3: Step 8: Check Amazon Simple Storage Service (S3) 

Check the database in Amazon Simple Storage Service (S3) and find the recording. Review it to make sure that the recording stops and resumes at the appropriate times and collects no PII or payment data. 

Testing and checking the recording are the last two steps — your agents can now trigger a hold on the recording and remove themselves from the call (temporarily) to allow a secure environment for the customer to enter their data. 

Leverage AWS managed services for end-to-end PCI compliance

The PCI compliance implications for this capability are huge — the best security efforts can still fail, so the best failsafe is to avoid storing data at all. 

The usual approach is to redact PII and payment card information from transcripts and call recordings. But this process is subject to error, and rogue actors can intercept data in transit before it’s protected or removed.

With this Amazon Connect feature, the agent can remove themself from the call and stop the recording with a single click, giving the caller a secure environment to enter their information (which will never be stored). 

It’s a critical feature for contact centers of all sizes and from any industry — but especially e-commerce and services, which capture credit card numbers and deal with PCI compliance on a constant basis.  

Not all contact centers have the resources, time, or manpower to manage their own Amazon Connect infrastructure, let alone add features like this agent hold. If your contact center handles sensitive data in any form but lacks a dedicated IT department (or IT time to spend on it), then working with a cloud managed services partner can help reallocate the load. CloudHesive is an AWS Certified Partner Agency and Premier Consulting Partner with a focus on security, reliability, availability, and scalability — reach out today to learn how we can help.

Related Blogs

  • Ensuring HIPAA compliance with Amazon Connect: A Guide for Healthcare SaaS Providers

    Healthcare IT – HIPAA Compliance Best Practices in Amazon Connect Healthcare application providers are responsible for ensuring systems protect patient data to comply with HIPAA regulations. HIPAA...

    Learn More
  • Ensuring Robust Security in Amazon Cloud Environments

    Amazon has the tools and CloudHesive has the expertise to keep your SaaS data safe.   Rock-solid security is crucial in all cloud environments, especially for SaaS platforms, which handle...

    Learn More
  • What You Need to Know about Cloud Security in the Generative AI Era

    Key Takeaways: Find out how generative AI is changing cloud security. Learn best practices for cloud security in the generative AI era.  Discover generative AI tools and techniques for enhancing and...

    Learn More