Pause Recording for PCI Compliance

PCI Compliance in Telephone Call Recording: Essential UK Business Guidelines  

Secure Your Payment Gateway and Protect Cardholder Data in 2025 

Credit and debit card payments processed over the phone require strict adherence to PCI DSS compliance standards in the UK. Proper security measures are essential whether you use a payment card terminal or take transaction details in a telephone conversation. 

Understanding PCI DSS: Origins and Purpose 

Visa, Mastercard, American Express, Discover, and JCB International formed the Payment Card Industry Data Security Standard (PCI DSS). Together, they formed the PCI Security Standards Council (PCI SSC) to develop comprehensive security standards to protect against fraud and data breaches across all payment channels. 

These standards are particularly critical when recording telephone calls where credit and debit card payments are processed, as they ensure sensitive cardholder data remains secure throughout the transaction. 

Critical PCI DSS 4.0 Updates for UK Businesses 

With the launch of PCI DSS 4.0 in March 2024, UK businesses must adapt their telephone payment systems to meet enhanced security requirements. These latest standards are essential for organisations recording telephone conversations that involve Mastercard, Visa, and other payment card transactions. 

New Technology Requirements 

The latest PCI compliance guidelines now encompass: 

• VoIP and SIP technologies, including SIP trunks controlling call redirection 

• Networks connected to environments handling cardholder data, even if not directly involved in payment processing 

• Enhanced network segmentation to maintain compliance and protect sensitive data 

Vidicode UK provides essential segmentation solutions to help your business maintain PCI compliance in the UK while recording calls. 

Essential PCI DSS UK 4.0 Requirements for Telephone Payment Processing 

To comply with PCI DSS 4.0 when recording telephone conversations for payment processing, you must: 

• Protect cardholder data through encryption and masking sensitive information during calls 

• Limit access to sensitive data through Multi Factor Authentication (MFA) which is crucial and ensures only authorised personnel handle cardholder information.    

• Implement robust security measures including firewalls, intrusion detection systems, and other controls to safeguard recording systems
• Comprehensive documentation of security policies and procedures for handling, storing, and managing sensitive payment card information 

PCI 4.0 allows organisations to adopt a more customised approach to security they will need to provide more robust documentation and validation to prove their controls are effective. Doing so can help protect your customer’s sensitive information and minimise the risk of fraud and data breaches.

Industries Requiring PCI Compliance for Telephone Payments 

PCI DSS compliance applies to all businesses handling payment card information, regardless of: 

• Transaction volume 

• Payment method (telephone, online, in-person) 

• Industry sector 

Key Sectors Affected By PCI Include: 

• Travel & Transport: Processing holiday bookings and reservations over the phone 

• Leisure & Entertainment: Handling betting transactions in the gaming industry 

• Retail & E-commerce: Managing payments via telephone, websites, and mobile apps 

• Healthcare: Processing payments for medical services and subscriptions 

• Financial Services: Handling insurance payments and financial product purchases 

• Hospitality: Taking room bookings and restaurant reservations with deposits 

• Utilities: Processing bill payments and service subscriptions over the phone 

“NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.”  Everton Stuart, MD 

Why PCI Compliance Matters and How It Affects Your Business 

The consequences of non-compliance with PCI DSS can be severe: 

• Fines and penalties: Businesses can face significant fines from card schemes for failing to comply, potentially ranging from £3,500 to £250,000 per month 

• Loss of ability to process payments: Non-compliant companies can be excluded from card acceptance programs and placed on the Terminated Merchant File (TMF), which is effectively a blacklist 

• Reputational damage: A data breach can erode customer trust and damage your brand’s reputation, leading to loss of business and long-term revenue impacts 

Achieving PCI compliance for call recording protects your business operations and customers’ sensitive information. 

Dispelling Common PCI Misconceptions 

Achieving PCI compliance is more complex than purchasing an off-the-shelf solution. Compliance hinges not on the call recording solution but on its deployment and integration within existing processes and systems, making each case unique. 

Common approaches that fall short of PCI Compliance include: 

• Password protecting call recorders 
• Encryption (only PAN can be retained encrypted, not sensitive authentication data) 
• Audio masking (retains sensitive data during processing) 
• Cloud-based telephone systems with “free” call recording that cannot pause during payment processing 

Some cloud-based telephone systems that include free call recording may not be able to pause recording during a call. If customers request their calls, the process of downloading from cloud storage may be non-compliant. Vidicode UK mitigates this problem with encrypted, secure storage in the cloud for as long as the customer requires. 

How Vidicode UK helps you achieve PCI Compliance  

Secure Payment Processing Technologies 

Some voice recording solutions also require expensive add-ons such as CTI and TAPI licenses to facilitate the PCI pause recording feature. That’s not the case at Vidicode UK, where our Apresa call recording system provides users with a choice of four FREE options to ensure PCI compliance.

• Manual DTMF: Protects cardholder data by masking it during input 
• PC Application: Automatically ensures sensitive information is excluded 
• Payment Page App Detection: Recognises when payment information is entered and takes appropriate actions 
• Payment Page App URL: Identifies secure URLs during transactions and masks sensitive data
• Recording API : Link the recorder to your payment systems & CRM via API’s 

To ensure greater security and protection of any credit/debit card information stored, the Vidicode Apresa also includes.

• Comprehensive audit trails: Easily search and track recordings to ensure compliance 
• Fingerprinting & encryption: Ensures the integrity and confidentiality of recordings 
• Authenticated, restrictive user access: Limits access to sensitive recordings to authorised personnel only 
• Multi Factor Authentication (MFA): Often referred to as two-factor authentication (2FA), is an added security measure that presents users with additional barriers to entry before granting access to a given account or asset. 

Additional improvements include Voice Crunch AI Speech Analytics, which monitors keywords and phrases to identify payment card information disclosed during recorded conversations.

To see more about Apresa

PCI DSS 4.0 Critical Requirements for Call Recording 

The PCI Security Standards Council establishes specific requirements for businesses handling payment card information during recorded telephone conversations: 

• Encryption of sensitive information: Masking or removing credit card data, including card numbers, expiry dates, and security codes (CSV/CVV/CVC/CVN) 

• Strict access controls: Implementing robust restrictions to ensure only authorised personnel can review recordings containing payment information 

• Secure network infrastructure: Utilising advanced security measures like firewalls and intrusion detection systems 

• Documented policies and procedures: Establishing detailed guidelines for handling sensitive payment information 

PCI DSS Compliance Levels for UK Businesses 

PCI Compliance is categorised into four levels based on transaction volumes over 12 months: 

• Level 1: Over 6 million Visa/Mastercard transactions 
• Level 2: 1-6 million Visa/Mastercard transactions 
• Level 3: 20,000-1 million Visa/Mastercard e-commerce transactions 
• Level 4: Less than 20,000 Visa/Mastercard e-commerce transactions or up to 1 million Visa/Mastercard transactions 

PCI DSS Compliance Requirements  

Level 1 companies require yearly on-site reviews and network scans.   

Levels 2-4 complete annual self-assessment questionnaires and quarterly network scans.  

Reducing PCI DSS Compliance Scope with Modern Payment Solutions 

Implementing specialised payment solutions like Agent Assisted Payments can help significantly reduce the scope of your PCI DSS compliance requirements. By keeping cardholder data out of your contact centre environment, these solutions minimise: 

• The number of systems subject to PCI DSS requirements 

• The complexity of your SAQ (Self-Assessment Questionnaire) 

• The time and resources needed for compliance maintenance 

• The potential points of vulnerability in your payment process 

Using PCI-compliant payment methods substantially reduces the time, cost, and resources required to complete PCI DSS Self-Assessment Questionnaires. 

Serious Consequences of PCI Non-Compliance in the UK 

• Monthly fines ranging from £3,500 to £250,000 
• Withdrawal of merchant services, impacting revenue streams 
• Loss of customer trust and confidence in data security 

Get Expert PCI Compliance Assistance 

For more information on Apresa’s FREE PCI DSS feature call 0203 4881498 or email enquiries@vidicodeuk.com

See how we helped home shopping channel JML with their PCI compliance in this Case Study

UK PCI DSS Compliance Glossary: Essential Terms Explained 

PCI DSS:  Payment Card Industry Data Security Standard. The compliance standard for card payments  

SAQ C-VT: Self-Assessment Questionnaire C for businesses using virtual payment terminals 

PAN:   Primary Account Number. The 12-to-19-digit credit or debit card number  

CVV:   Card Verification Value. The 3-digit security code on the back of the credit or debit card  

CSC:   Card Security Code. The 3-digit security code on the back of the credit or debit card  

CVN:   Card Verification Number. The 3-digit security code on the back of the credit or debit card  

CVC:   Card Verification Code. The 3-digit security code on the back of the credit or debit card  

CNP:   Card Not Present. Where the physical credit or debit card is not present on a phone call  

DTMF:  Dual-Tone Multi-Frequency. Tones that are generated on a phone keypad to mask   

CTI:    Computer telephony Integration. The linking of a phone system with a computer system  

TAPI:   Telephony Application Programming Interface. Communicates information from a phone system, for example, by viewing data on incoming calls or indicating the status of extensions  

Essential Resources for PCI Compliance 

• PCI 4.0 Resource Hub  

• Direct Marketing Association-PCI DSS Compliance as it relates to Call Recording      

• Multifactor Authentication  

• Small Business Guide to PCI Compliance 

• Secure Payment Gateway Implementation Guide