card payment over the phone

New PCI SSC guidelines for taking card payments over the phone

A revised supplementary guidance document entitled ‘Protecting Telephone-Based Payment Card Data’* was issued in November by PCI SSC (Payment Card Industry Security Standards Council), providing additional advice for businesses on taking payments over the telephone, reducing the risk of fraudulent activity and ensuring that cardholder data is kept secure during every transaction.

The document, that is aimed at businesses of all shapes and sizes, clearly sets out areas and processes that are in scope for PCI DSS and offers practical guidance to address the twelve principles that are fundamental for compliance. It also includes options for where external systems can be implemented that descope the business of certain compliance responsibilities and provide the most secure transaction environment for the customer.

Two of our most popular products fit in to exactly the advice being provided:

PCI Agent: our attended solution

PCI Agent is our ‘attended’ telephony-based solution through which the agent remains on the line at all times with the caller, for those businesses who see value in providing one-to-one customer service throughout the transaction. The system relies on the customer entering their card data via their telephone keypad using DTMF suppression to mask the tones as they are entered and showing only asterisks on the agent’s screen. No data is captured or stored by the business’s network. Instead, the transaction is processed in direct and instant interfacing with the issuing bank.

Because the agent doesn’t see or hear the cardholder data nor the DTMF tones that could identify the details, the system removes entirely the human error risk that so many other processes still feature, therefore fully descoping this area of the business from PCI DSS compliance obligations.

As stated in the supplementary guidance document, ‘A properly designed and deployed DTMF-masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope. Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business requirement to do so.’

AUTO IVR: our un-attended solution

Unlike PCI Agent, our Auto IVR solution enables businesses to take over-the-phone payments using an automated call-handling system without the need for an agent to be involved in the transaction. The system takes the customer through the payment process, prompting them to enter their details via their telephone keypad which remain entirely encrypted and hidden from employees at the business. In addition to providing a secure environment for customers, the business saves on the need to employ as many agents and can continue to take payments out of hours.

The guidance document states, ‘When properly implemented, an unattended transaction solution could reduce applicability of PCI DSS requirements to the agent and agent desktop environment.’


All of our solutions are created specially to suit the needs of your business, integrating with your existing telephony and IT systems. They are simple to set up, easy to use and flexible so that changes can be made as the business grows and develops. Best of all, we don’t charge the earth and our costs are clear from the beginning so there’ll be no hidden surprises once you’re up and running.

Want to know more? Get in touch with us here or visit our Solutions page for more information. Alternatively, come and see us at next year’s Call & Contact Centre Expo 2019 (stand no. 876), 27-28 March at Excel London.

*Read the full version of the PCI SSC report ‘Protecting telephone-based card payment data’ November 2018 here.