Pause Recording for PCI Compliance

Get in Touch

PCI Compliance in Telephone Call Recording: Essential UK Business Guidelines  

Credit/Debit card payments taken over the phone are subject to PCI DSS.

Secure Your Payment Gateway and Protect Cardholder Data in 2025 

Credit and debit card payments processed over the phone require strict adherence to PCI DSS compliance standards in the UK. Proper security measures are essential whether you use a payment card terminal or take transaction details in a telephone conversation. 

Understanding PCI DSS: Origins and Purpose 

Visa, Mastercard, American Express, Discover, and JCB International formed the Payment Card Industry Data Security Standard (PCI DSS). Together, they formed the PCI Security Standards Council (PCI SSC) to develop comprehensive security standards to protect against fraud and data breaches across all payment channels. 

These standards are particularly critical when recording telephone calls where credit and debit card payments are processed, as they ensure sensitive cardholder data remains secure throughout the transaction. 

Critical PCI DSS 4.0 Updates for UK Businesses 

With the launch of PCI DSS 4.0 in March 2024, UK businesses must adapt their telephone payment systems to meet enhanced security requirements. These latest standards are essential for organisations recording telephone conversations that involve Mastercard, Visa, and other payment card transactions. 

New Technology Requirements 

The latest PCI compliance guidelines now encompass: 

  • Networks connected to environments handling cardholder data, even if not directly involved in payment processing 
  • Enhanced network segmentation to maintain compliance and protect sensitive data 

Vidicode UK provides essential segmentation solutions to help your business maintain PCI compliance in the UK while recording calls. 

Essential PCI DSS UK 4.0 Requirements for Telephone Payment Processing 

To comply with PCI DSS 4.0 when recording telephone conversations for payment processing, you must: 

  • Protect cardholder data through encryption and masking sensitive information during calls 
  • Limit access to sensitive data through Multi Factor Authentication (MFA) which is crucial and ensures only authorised personnel handle cardholder information.    
  • Implement robust security measures including firewalls, intrusion detection systems, and other controls to safeguard recording systems
  • Comprehensive documentation of security policies and procedures for handling, storing, and managing sensitive payment card information 

PCI 4.0 allows organisations to adopt a more customised approach to security they will need to provide more robust documentation and validation to prove their controls are effective. Doing so can help protect your customer’s sensitive information and minimise the risk of fraud and data breaches.

Industries Requiring PCI Compliance for Telephone Payments 

PCI DSS compliance applies to all businesses handling payment card information, regardless of: 

  • Transaction volume 
  • Payment method (telephone, online, in-person) 
  • Industry sector 

Key Sectors Affected By PCI Include: 

  • Travel & Transport: Processing holiday bookings and reservations over the phone 
  • Leisure & Entertainment: Handling betting transactions in the gaming industry 
  • Retail & E-commerce: Managing payments via telephone, websites, and mobile apps 
  • Healthcare: Processing payments for medical services and subscriptions 
  • Financial Services: Handling insurance payments and financial product purchases 
  • Hospitality: Taking room bookings and restaurant reservations with deposits 
  • Utilities: Processing bill payments and service subscriptions over the phone 

NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.”  Everton Stuart, MD 

Why PCI Compliance Matters and How It Affects Your Business 

The consequences of non-compliance with PCI DSS can be severe: 

  • Fines and penalties: Businesses can face significant fines from card schemes for failing to comply, potentially ranging from £3,500 to £250,000 per month 
  • Loss of ability to process payments: Non-compliant companies can be excluded from card acceptance programs and placed on the Terminated Merchant File (TMF), which is effectively a blacklist 
  • Reputational damage: A data breach can erode customer trust and damage your brand’s reputation, leading to loss of business and long-term revenue impacts 

Achieving PCI compliance for call recording protects your business operations and customers’ sensitive information. 

Dispelling Common PCI Misconceptions 

Achieving PCI compliance is more complex than purchasing an off-the-shelf solution. Compliance hinges not on the call recording solution but on its deployment and integration within existing processes and systems, making each case unique. 

Common approaches that fall short of PCI Compliance include: 

  • Password protecting call recorders 
  • Encryption (only PAN can be retained encrypted, not sensitive authentication data) 
  • Audio masking (retains sensitive data during processing) 
  • Cloud-based telephone systems with “free” call recording that cannot pause during payment processing 

Some cloud-based telephone systems that include free call recording may not be able to pause recording during a call. If customers request their calls, the process of downloading from cloud storage may be non-compliant. Vidicode UK mitigates this problem with encrypted, secure storage in the cloud for as long as the customer requires. 

How Vidicode UK helps you achieve PCI Compliance  

Secure Payment Processing Technologies 

Some voice recording solutions also require expensive add-ons such as CTI and TAPI licenses to facilitate the PCI pause recording feature. That’s not the case at Vidicode UK, where our Apresa call recording system provides users with a choice of four FREE options to ensure PCI compliance.

  • Manual DTMF: Protects cardholder data by masking it during input 
  • PC Application: Automatically ensures sensitive information is excluded 
  • Payment Page App Detection: Recognises when payment information is entered and takes appropriate actions 
  • Payment Page App URL: Identifies secure URLs during transactions and masks sensitive data
  • Recording API : Link the recorder to your payment systems & CRM via API’s 

To ensure greater security and protection of any credit/debit card information stored, the Vidicode Apresa also includes.

  • Comprehensive audit trails: Easily search and track recordings to ensure compliance 
  • Fingerprinting & encryption: Ensures the integrity and confidentiality of recordings 
  • Authenticated, restrictive user access: Limits access to sensitive recordings to authorised personnel only 
  • Multi Factor Authentication (MFA): Often referred to as two-factor authentication (2FA), is an added security measure that presents users with additional barriers to entry before granting access to a given account or asset. 

Additional improvements include Voice Crunch AI Speech Analytics, which monitors keywords and phrases to identify payment card information disclosed during recorded conversations.

To see more about

PCI DSS 4.0 Critical Requirements for Call Recording 

The PCI Security Standards Council establishes specific requirements for businesses handling payment card information during recorded telephone conversations: 

  • Encryption of sensitive information: Masking or removing credit card data, including card numbers, expiry dates, and security codes (CSV/CVV/CVC/CVN) 
  • Strict access controls: Implementing robust restrictions to ensure only authorised personnel can review recordings containing payment information 
  • Secure network infrastructure: Utilising advanced security measures like firewalls and intrusion detection systems 
  • Documented policies and procedures: Establishing detailed guidelines for handling sensitive payment information 

PCI DSS Compliance Levels for UK Businesses 

PCI Compliance is categorised into four levels based on transaction volumes over 12 months: 

  • Level 1: Over 6 million Visa/Mastercard transactions 
  • Level 2: 1-6 million Visa/Mastercard transactions 
  • Level 3: 20,000-1 million Visa/Mastercard e-commerce transactions 
  • Level 4: Less than 20,000 Visa/Mastercard e-commerce transactions or up to 1 million Visa/Mastercard transactions 

PCI DSS Compliance Requirements  

Level 1 companies require yearly on-site reviews and network scans.   

Levels 2-4 complete annual self-assessment questionnaires and quarterly network scans.  

Reducing PCI DSS Compliance Scope with Modern Payment Solutions 

Implementing specialised payment solutions like Agent Assisted Payments can help significantly reduce the scope of your PCI DSS compliance requirements. By keeping cardholder data out of your contact centre environment, these solutions minimise: 

  • The number of systems subject to PCI DSS requirements 
  • The complexity of your SAQ (Self-Assessment Questionnaire) 
  • The time and resources needed for compliance maintenance 
  • The potential points of vulnerability in your payment process 

Using PCI-compliant payment methods substantially reduces the time, cost, and resources required to complete PCI DSS Self-Assessment Questionnaires. 

Serious Consequences of PCI Non-Compliance in the UK 

  • Monthly fines ranging from £3,500 to £250,000 
  • Withdrawal of merchant services, impacting revenue streams 
  • Loss of customer trust and confidence in data security 

Get Expert PCI Compliance Assistance 

For more information on Apresa’s FREE PCI DSS feature call 0203 4881498 or email enquiries@vidicodeuk.com

See how we helped home shopping channel JML with their PCI compliance in this

UK PCI DSS Compliance Glossary: Essential Terms Explained 

PCI DSSPayment Card Industry Data Security Standard. The compliance standard for card payments  

SAQ C-VT: Self-Assessment Questionnaire C for businesses using virtual payment terminals 

PAN:   Primary Account Number. The 12-to-19-digit credit or debit card number  

CVV:   Card Verification Value. The 3-digit security code on the back of the credit or debit card  

CSC: Card Security Code. The 3-digit security code on the back of the credit or debit card  

CVN: Card Verification Number. The 3-digit security code on the back of the credit or debit card  

CVC:   Card Verification Code. The 3-digit security code on the back of the credit or debit card  

CNP:   Card Not Present. Where the physical credit or debit card is not present on a phone call  

DTMF:  Dual-Tone Multi-Frequency. Tones that are generated on a phone keypad to mask   

CTI:    Computer telephony Integration. The linking of a phone system with a computer system  

TAPI:   Telephony Application Programming Interface. Communicates information from a phone system, for example, by viewing data on incoming calls or indicating the status of extensions  

Essential Resources for PCI Compliance 

 

Financial Trading Turrets

VoIP VOX call recording (Traders' VoIP hoot-n-holler)

Call/Contact Centres

Compliant call recording for Customer Service (CX) excellence
Apresa call recording software

Microsoft Teams

Secure  & Compliant Microsoft Teams call recording
OEM Bespoke Solutions

OEM Bespoke Solutions

Bespoke and OEM Solutions for integrators & partners

Case Studies

Travel Up

Since its inception in 2004, TravelUp has aimed to make worldwide travel effortless for its customers. With so many options for a customer, its bespoke deal finder technology searches masses of different suppliers simultaneously. It quickly returns all the best available deals for flights, hotels or full... Full Case Study

Based in Huddersfield and proud of their Yorkshire heritage TLF Research boast a proven track record of improving the customer experience, satisfaction, and loyalty of their client’s companies through the design and running of customer research programmes. As a full-service agency TLF has assisted customers including Visa, Calor, Co-op and Saint... Full Case Study

SoloProtect

Over the last 20 years, SoloProtect has innovated and evolved to provide an industry-leading lone worker safety solution that is used by thousands of people across the world. SoloProtect work with public, private, and charity sector organisations that employ large numbers of staff who work alone, are community-based, or are required... Full Case Study

As one of Shropshire’s biggest and longest established Motor Dealerships Budgen Motors prides itself on giving excellent service to all its customers. Budgen has been in Shropshire for 40 years and it is still family run today. Originally started by Tommy Budgen in the 70s, Budgen was taken over by the late... Full Case Study

MSL Motor Group was founded by Stephen O’Flaherty who is widely celebrated as one of the great pioneers of modern Irish motoring. His grandson, who is also named Stephen O’Flaherty, is the Chairman of MSL Motor Group today. The O’Flaherty family have a long history in the Irish motor industry and have... Full Case Study

When Infinity Group, one of the UK’s largest IT and Telephony providers were tasked by Right to Health, to find a reliable, user friendly call recording platform that met FCA* compliance standards they turned to Vidicode UK and call recording expert Everton Stuart. Right to Health, founded in 2001, specialise in finding... Full Case Study

DF Markets (Delta Financial Markets Ltd.) is a Forex, CFD and Financial Spread Betting provider established and located in Canary Wharf, London. The company is regulated by the Financial Conduct Authority (FCA register number 534027). The protection of client funds is provided by the Financial Services Compensation Scheme (FSCS). DF Markets offers... Full Case Study

Founded in 1986 by John Mills and now a global operation, JML was once a small family company that developed through consumer exhibitions with exciting live demonstrations of innovative products. Over the last two decades we’ve grown into a household name, one of the nation’s favourite brands and a world leader... Full Case Study

The company was founded in 2003, but in 2007, with the arrival of the new shareholder, we dedicated particular resources and energy to the Investment Management business, focusing on the search for good results and outperformance of the benchmark indices. Our team’s best management skills lie in UCITS Funds and Alternative... Full Case Study