PCI DSS Compliance for VoIP and Call Recording: What You Need to Know

PCI DSS Compliance for VoIP and Call Recording: What You Need to Know

If your business takes card payments over the phone, your VoIP system and call recording setup are directly within the scope of PCI DSS (Payment Card Industry Data Security Standard). Non-compliance is not just a technical shortcoming — it exposes your organisation to data breaches, regulatory fines, increased processing fees and loss of the ability to accept card payments altogether.

This guide explains how PCI DSS applies to VoIP telephony and call recording, where the risks lie and what practical steps your business needs to take to achieve and maintain compliance.

What Is PCI DSS and Why Does It Matter for VoIP?

PCI DSS is a set of security standards established by the major card brands (Visa, Mastercard, American Express, Discover and JCB) to protect cardholder data wherever it is stored, processed or transmitted. Any business that handles card payments — including those taken verbally over the phone — must comply.

When a customer reads their card number, expiry date and CVV to your agent over a VoIP call, that sensitive data is:

• Transmitted across your VoIP network as voice packets
• Processed by your agent who enters the details into a payment terminal or software
• Potentially recorded if your call recording system captures the conversation

Each of these stages creates a potential point of compromise. PCI DSS requires you to protect cardholder data at every stage of its lifecycle.

The Call Recording Problem

Call recording is the single biggest compliance challenge for businesses taking card payments over VoIP. PCI DSS Requirement 3.2 explicitly states that sensitive authentication data — including the three or four digit CVV/CVC code — must not be stored after authorisation, even if encrypted.

If your call recording system captures the full conversation including the moment a customer reads out their CVV, you are storing sensitive authentication data in violation of PCI DSS. This applies regardless of whether the recording is encrypted, access-controlled or automatically deleted after a set period.

The Key Distinction: PAN vs Sensitive Authentication Data

• Primary Account Number (PAN): The long card number. This can be stored if properly encrypted and access-controlled, though it is still best to avoid storing it if possible.
• CVV/CVC: Must never be stored after authorisation under any circumstances.
• Expiry date: Can be stored if protected, but storage should be minimised.
• Cardholder name: Can be stored with appropriate protection.

Methods for Achieving PCI DSS Compliance with VoIP

1. Pause and Resume Call Recording

The most straightforward approach is to pause the recording when the customer begins providing card details and resume it once the payment is complete. This can be done:

• Manually: The agent presses a button on their phone or softphone to pause recording. Simple but relies entirely on human behaviour — agents may forget, and the pause point may not be precise enough.
• Automatically: The VoIP or recording platform detects when the agent opens the payment application or triggers a specific call flow, automatically pausing recording for a defined period.
• API-driven: The payment application sends an API call to the recording system to pause and resume, ensuring tight synchronisation.

Pause and resume is effective and widely used, but manual methods introduce compliance risk. Automated or API-driven approaches are strongly preferred.

2. DTMF Masking and Suppression

Instead of reading card details aloud, the customer enters them using their phone keypad (DTMF tones). A compliant DTMF masking solution:

• Replaces DTMF tones with flat tones or silence in the audio stream so the agent cannot hear the digits
• Strips DTMF data from the call recording entirely
• Routes the entered digits directly to the payment processor without passing through the agent or recording system

DTMF masking removes cardholder data from the voice path completely, significantly reducing your PCI DSS scope. It is considered one of the most robust compliance methods available for phone payments.

3. Secure Payment IVR

An interactive voice response (IVR) system can handle the payment process entirely without agent involvement. The call flow typically works like this:

1. The agent confirms the payment amount with the customer.
2. The agent transfers the customer to a secure payment IVR.
3. The IVR prompts the customer to enter card details via DTMF.
4. The IVR processes the payment through a PCI-compliant gateway.
5. The customer is returned to the agent with a confirmation.

This approach completely removes the agent and the recording system from the payment data flow, achieving the maximum possible scope reduction.

4. Agent-Assisted Payment Solutions

Specialised third-party payment platforms sit between your VoIP system and the payment processor. The agent stays on the call to guide the customer but never hears or sees the card details. The solution intercepts DTMF tones in real time, validates the card data and processes the payment, all while the agent sees only masked information on their screen.

These solutions integrate with most hosted VoIP platforms and can be deployed without changes to your existing telephony infrastructure. For guidance on call recording features and options, see our article on call recording for businesses.

PCI DSS Requirements That Apply to VoIP

The following PCI DSS requirements are most relevant to VoIP environments:

• Requirement 1: Install and maintain network security controls. This includes firewalls and segmentation between your VoIP network and cardholder data environment.
• Requirement 2: Apply secure configurations. Default passwords on IP phones, PBX systems and recording platforms must be changed.
• Requirement 3: Protect stored account data. If call recordings contain card data, they must be encrypted with strong cryptography and access must be restricted.
• Requirement 4: Protect data in transit. VoIP traffic carrying cardholder data must be encrypted using TLS and SRTP.
• Requirement 7: Restrict access to cardholder data. Only personnel with a business need should have access to call recordings that may contain payment data.
• Requirement 8: Identify users and authenticate access. Multi-factor authentication for anyone accessing systems within the cardholder data environment.
• Requirement 10: Log and monitor all access. Audit trails for access to call recordings and payment systems.

Reducing Your PCI DSS Scope

The most effective strategy is to reduce the scope of your PCI DSS assessment by removing cardholder data from as many systems as possible. For VoIP this means:

1. Never store CVV in any form — pause recording, use DTMF masking or implement a payment IVR.
2. Avoid recording card numbers — even though PAN storage is permitted when encrypted, not recording it in the first place is simpler and safer.
3. Segment your network — isolate VoIP and payment systems from general office traffic to limit the systems in scope.
4. Use a PCI-compliant payment provider — offloading payment processing to a certified third party reduces your own compliance burden.
5. Document your scope — clearly map which systems handle cardholder data and which do not, and validate this mapping regularly.

For broader guidance on compliance frameworks that affect UK businesses, our article on IT compliance for UK businesses covers GDPR, Cyber Essentials and ISO alongside PCI DSS.

Common Mistakes to Avoid

• Assuming hosted VoIP means you are compliant: Your provider may be PCI compliant for their infrastructure, but you are still responsible for how your agents handle card data and how your recording system stores it.
• Relying solely on manual pause/resume: Human error is inevitable. Automated controls are far more reliable.
• Ignoring voicemail: If a customer leaves a voicemail containing card details, that voicemail is stored cardholder data and must be handled accordingly.
• Forgetting about screen recordings: If you record agent screens for quality assurance, captured payment screens may contain card data.
• Not testing regularly: Compliance is not a one-time achievement. Regular testing, auditing and staff training are essential to maintain it.

Steps to Get Started

If your business takes card payments over VoIP and you are not confident in your PCI DSS compliance, take these steps:

1. Map every point where cardholder data is spoken, entered, transmitted, processed or stored in your telephony environment.
2. Check whether your call recording system captures card data — if it does, implement pause/resume or DTMF masking as a priority.
3. Review your VoIP encryption settings — ensure TLS and SRTP are enabled and enforced.
4. Speak to your VoIP provider about PCI-compliant payment integrations they support.
5. Engage a PCI QSA (Qualified Security Assessor) or complete the appropriate Self-Assessment Questionnaire for your merchant level.

PCI DSS compliance is not optional for any business that handles card payments. Getting your VoIP and call recording environment right is a critical component of that compliance and protects both your customers and your business.