Organisations rely on call recordings for training, quality monitoring and compliance purposes. Within the UK financial services sector, regulatory requirements to record specific communications were introduced by the FSA to prevent and detect market abuse. These obligations have since been overseen and expanded by the FCA and apply to defined firms and activities rather than all organisations (source: Financial Conduct Authority).
Notably, contact centres often face challenges with MOTO (mail order/telephone order) payments due to PCI-DSS requirements for handling cardholder data. PCI-DSS is a security standard for organisations that store, process or transmit cardholder data (source: PCI Security Standards Council). Companies that accept card payments are required to comply with it through contractual obligations in their merchant agreements with acquiring banks, which in turn enforce compliance under the rules of the card schemes.
To meet this requirement, companies implement pause and resume recording as a solution. Two types of pausing techniques are typically used: manual and automatic. The result is a recording with the card details removed – or at least that is the intention.
The Risks of Pause and Resume Recording
Human Error and Data Exposure
Humans make mistakes several times in a day and in a contact centre this can lead to serious consequences, including the exposure of cardholder data (source: PCI-DSS).
It’s an ongoing commitment to ensure new and existing staff are trained thoroughly on when and how to pause recording. Additionally, regular quality checks on recorded calls need to take place to ensure agents are following training correctly.
Manual and automatic pausing techniques require continuous checks to ensure that there are no errors in the recordings. If this approach is embedded into the organisation, the amount of work required for ongoing monitoring can be significant.
Contact Centre Infrastructure Remains in Scope
Pause and resume (stop/start recording) protects the recordings themselves but does not safeguard other systems that may process or transmit card data, such as:
• Agent desktops
• Screen recordings
• VoIP or telephony infrastructure
• Internal networks
Because PCI-DSS applies to any system that stores, processes or transmits cardholder data, contact centres remain within scope even if sensitive data is excluded from recordings (source: PCI-DSS Security Standards).
Incomplete Call Recordings
Pausing and resuming (stop/start) recordings creates gaps in call transcripts, making it harder to handle disputes and support customers efficiently. For example, if a recording of a payment being taken is missing, verifying the customer’s claim may take longer or require additional evidence.
Omitting important details can cause issues with quality checks and regulatory compliance. It could even lead to legal claims if an agent’s behaviour is questioned while the recording wasn’t running, and there is no evidence to show how they acted.
Complete recordings help avoid disputes and make resolving issues faster. Keeping every call on record protects your business and safeguards your reputation.
Removing Payment Data from the Contact Centre and Call Centre Environment
Rather than managing card data within the contact centre, businesses are removing it entirely, descoping the environment to ensure sensitive payment information or cardholder data (CHD) – specifically Sensitive Authentication Data (SAD) – doesn’t enter their internal systems from the start.
While descoping removes sensitive information from call recordings, companies must still meet other legal or regulatory requirements for recording and retaining communications. For example, in sectors such as FCA-regulated financial services, businesses are required to record calls and electronic communications for audit and dispute handling processes – even if personal payment data is removed from the recordings.
How Secure Contact Centre and Call Centre Payment Systems Work
Effective contact centre payment systems use technologies such as DTMF masking to protect sensitive data. Instead of reading details aloud:
• Customers enter payment details via keypad
• Tones are masked or suppressed so agents cannot hear them, and they aren’t detectable on recordings
• Data is sent directly to the payment gateway
With this approach, sensitive payment data is never exposed to contact centre agents, or their systems, drastically reducing PCI-DSS scope.
The Correct, Complete and Compliant Solution
With Agent Assisted Payments, customers can securely enter their card details using their telephone keypad. DTMF suppression is applied to the keypad presses, ensuring no sensitive information enters the organisation’s systems, or appears on the call recording.
As well as suppressing the payment data during a transaction, Agent Assisted Payments also provides alternative methods, offering organisations a variation of capture methods which are just as secure:
Agent Digital
For customers who prefer not to enter card details by phone, Agent Digital delivers a PCI-compliant payment link via text or email. This enables customers to pay on their own device. Card data never enters the contact centre, removing the need for pause and resume recording and reducing exposure across desktops, telephony and internal systems.
This method also allows for 3DS2, enabling the organisation to verify the identity of anyone making a payment, eliminating any risk of chargebacks.
Voice Capture
Another option is for customers to provide sensitive account and cardholder data securely by voice. Agents won’t hear these details; systems and call recordings remain out of PCI-DSS scope. The process is powered by Key IVR’s AI Automatic Speech Recognition engine.
What are the Benefits of Removing Card Data from Call Recordings?
Stronger PCI-DSS Compliance
Removing sensitive card data from call recordings helps organisations achieve best practice call centre PCI-DSS compliance and reduces regulatory risk.
Fully Compliant Call Recording
Calls can be safely recorded from start to finish without exposing sensitive payment information.
Lower Fraud Risk
Agents never see or hear card details, reducing the risk of insider fraud or accidental data exposure.
Better Customer Trust
Secure payment methods improve customer confidence and strengthen long-term trust (source: Science Direct).
Ensuring Best Practice PCI-DSS Compliance in the Contact Centre and Call Centre
Achieving call centre PCI-DSS compliance requires more than simply pausing or stopping recordings. While stop/start methods can remove card data from call recordings, they do not go far enough to fully eliminate exposure to internal systems or agents.
The most reliable approach is to prevent sensitive payment information from entering the contact centre and organisation entirely. This reduces scope and while it is more costly to implement, it offers a more comprehensive way to mitigate the risk.
For organisations handling phone payments, removing card data entirely through secure payment technologies is the most effective way to ensure long-term call centre PCI-DSS compliance and avoid costly regulatory breaches.
If you’d like to know more about how Key IVR can help your contact centre or call centre implement a secure, PCI-DSS compliant telephone payment solution, contact us at +44 (0) 1302 513 000 or email sales@keyivr.com.
