How to descope your contact centre

Reduce the risk of card fraud and achieve PCI compliance, without sacrificing the customer experience

Or continue reading below….


Contact centres play a crucial role in presenting an organisation in a professional and trustworthy way. This not only comes across in how agents or customer service representatives (CSRs) communicate, but also the tools they use in their day-to-day role.

No matter what channel they use to talk to customers, it’s important that agents are able to securely process card payments over the phone, web chat, email or a support ticket. However, asking customers to read out their card details over the phone or type into customer communications tools (like a webchat service), places their sensitive cardholder data (CHD) at risk of fraud and data breaches from eavesdroppers, call recordings, compromised software and other cyberattacks.

Organisation’s can spend on average $3.86 million (about £2.9 million) recovering from a data breach, according to Ponemon Institute’s Cost of a Data Breach Report 2020, with long-term reputational damage and the risk of it happening again once a vulnerability has been discovered.

The Payment Card Industry Data Security Standard (or PCI DSS) is a widely recognised industry standard that outlines how organisations can process payments in a highly secure way, assessing all areas of risk within your corporate network.

What is PCI DSS?

The security standard started in December 15, 2004 by Visa, Mastercard, American Express, Discover and JCB who formed the Payment Card Industry Security Council (PCI SSC) in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI).

If your organisation accepts, processes, stores or transmits card payments, the chances are you’ve heard of the Payment Card Industry Data Security Standard (or PCI DSS as it is commonly known).

But what is PCI DSS?

It’s your responsibility to ensure that your customers’ payment data, such as sensitive card numbers and other forms of “Sensitive Authentication Data” (SAD) are safeguarded, free from exposure from contact centre agents, fraudulent attacks (internal and external) and other security breaches.

By achieving PCI compliance and adhering to the comprehensive requirements of PCI DSS your organisation can be confident that you are improving the safety of your customer’s data and the way payments are processed.

What areas are in scope or at risk?

The PCI Security Standards Council’s Quick Reference Guide says, “The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in, or connected, to cardholder data.”

Understanding what it means to be “in-scope” is a vital step for efficiently removing the risk from within the contact centre environment. Any person, system or piece of technology that has the ability to access sensitive cardholder information is at risk of a breach if not secured correctly.

In the contact centre environment, this could include:

  • Call centre staff, including agents and Customer service representatives (CSRs)
  • Laptop, PCs or any devices used by agents – provided by the company or if they’re using their own to connect to the corporate network
  • Telephony systems (Regardless of technology – Analogue, IP PBX, Cloud-based or on-site)
  • Call recording systems – including any Pause and Resume solutions (manual or automated)
  • IT networks that are used to process, transmit or store payment details
  • Network connections to the contact centre – including the connections from agents or CSR’s working from home or other remote locations
  • Databases or file storage locations (could be a complex SQL database, or a simple Excel)
  • Third-Party systems used to manage customer details, talk to customers or capture payment information

The bottom line is, anything used to take payments are all in-scope for compliance and should be reviewed as part of the 12 PCI-DSS requirements.

How do I make my contact centre PCI DSS compliant?

There are a number of measures an organisation could consider for their contact centre environment, to help achieve PCI-DSS compliance. These include a “clean room”, where agents have no access to personal belongings, or any way of recording the payment details they hear. You can also increase security and monitoring to high-risk areas that are storing the payment information, reducing the risk of unauthorised access.

The most effective way to achieve PCI-DSS compliance is to stop card data from entering the corporate network altogether. If the details are never transmitted or stored in the first place, they cannot be stolen or used maliciously.

Descoping your contact centre

By working with a Payment Services Provider, like Key IVR, we can help “descope” your contact centre environment.

We connect to your gateway or acquirer to help process payments securely over the phone, webchat, email or via a support ticket. The sensitive cardholder data is processed securely on your behalf to PCI-DSS Level 1, and no payment details ever reach your network, devices or contact centre agents.

We provide live dashboards that show non-sensitive information, allowing agents to stay in conversation and follow along with the customer as they are making a payment – with the ability to assist if there’s an issue.

Our services work with all telephony services (analogue, IP PBX or VoIP based) and we integrate with all major gateway providers.

Although PCI DSS is not a legal requirement, it is mandatory if your organisation wishes to process transactions with the major card schemes. Here are some of the potential drawbacks and penalties that could occur if you do not maintain PCI compliance:

  • Fines and penalties ranging from £3,000 to £6,000
  • Lost confidence, so customers go to other merchants
  • Diminished sales
  • Cost of reissuing new payment cards
  • Data breaches and fraud losses
  • Legal costs, settlements and judgments
  • Termination of ability to accept payment cards
  • Lost jobs (CISO, CIO, CEO and dependent professional positions)
  • Going out of business
  • Higher subsequent costs of compliance

If you experience a data breach as a result of non-compliance with PCI-DSS, you could also face investigation from the Information Commissioners Office (ICO) around your organisation’s compliance with the General Data Protection Regulation (GDPR), which has the possibility of resulting in huge fines from up to €20m (approximately £17.5 million) or 4% of turnover, whichever is greater.

DTMF masking and suppression

As agents talk to customers over the phone, they can ask the customer to enter their card details using their telephone keypad rather than say them out loud. DTMF masking (often called DTMF suppression) replaces the tones or converts the two pitches into a single flat tone to ensure they cannot be decrypted by a hacker or from within the organisation network. This helps organisations obtain PCI compliance whilst continuing to take payments over the phone and record their calls.

The process is handled by our Agent Assisted Payment service powered by our PCI-DSS Level 1 certified payment platform. No sensitive card details reach your corporate network and your contact centre and agents stay completely out of scope, drastically reducing the risk of card fraud for your organisation.

Request a free scoping call

Let us help you reduce serious security risks within your contact centre with our PCI-DSS compliant services. We work with you to design a solution that tackles your individual business challenges.

Request a scoping call with one of our payment specialists or contact us on +1 888 765 3109 or email

Submit your details and a payment specialist will be in touch.

Mark Kelly

Chief Commercial Officer (CCO) (UK) & VP International Sales (US)