Secure Your Payment Gateway and Protect Cardholder Data in 2025
Credit and debit card payments processed over the phone require strict adherence to PCI DSS compliance standards in the UK. Proper security measures are essential whether you use a payment card terminal or take transaction details in a telephone conversation.
Understanding PCI DSS: Origins and Purpose
Visa, Mastercard, American Express, Discover, and JCB International formed the Payment Card Industry Data Security Standard (PCI DSS). Together, they formed the PCI Security Standards Council (PCI SSC) to develop comprehensive security standards to protect against fraud and data breaches across all payment channels.
These standards are particularly critical when recording telephone calls where credit and debit card payments are processed, as they ensure sensitive cardholder data remains secure throughout the transaction.
Critical PCI DSS 4.0 Updates for UK Businesses
With the launch of PCI DSS 4.0 in March 2024, UK businesses must adapt their telephone payment systems to meet enhanced security requirements. These latest standards are essential for organisations recording telephone conversations that involve Mastercard, Visa, and other payment card transactions.
New Technology Requirements
The latest PCI compliance guidelines now encompass:
Vidicode UK provides essential segmentation solutions to help your business maintain PCI compliance in the UK while recording calls.
Essential PCI DSS UK 4.0 Requirements for Telephone Payment Processing
To comply with PCI DSS 4.0 when recording telephone conversations for payment processing, you must:
PCI 4.0 allows organisations to adopt a more customised approach to security they will need to provide more robust documentation and validation to prove their controls are effective. Doing so can help protect your customer’s sensitive information and minimise the risk of fraud and data breaches.
Industries Requiring PCI Compliance for Telephone Payments
PCI DSS compliance applies to all businesses handling payment card information, regardless of:
Key Sectors Affected By PCI Include:
“NEVER physically write down any credit card information unless you explicitly do so as part of your business processes.” Everton Stuart, MD
The consequences of non-compliance with PCI DSS can be severe:
Achieving PCI compliance for call recording protects your business operations and customers’ sensitive information.
Achieving PCI compliance is more complex than purchasing an off-the-shelf solution. Compliance hinges not on the call recording solution but on its deployment and integration within existing processes and systems, making each case unique.
Common approaches that fall short of PCI Compliance include:
Some cloud-based telephone systems that include free call recording may not be able to pause recording during a call. If customers request their calls, the process of downloading from cloud storage may be non-compliant. Vidicode UK mitigates this problem with encrypted, secure storage in the cloud for as long as the customer requires.
Secure Payment Processing Technologies
Some voice recording solutions also require expensive add-ons such as CTI and TAPI licenses to facilitate the PCI pause recording feature. That’s not the case at Vidicode UK, where our Apresa call recording system provides users with a choice of four FREE options to ensure PCI compliance.
To ensure greater security and protection of any credit/debit card information stored, the Vidicode Apresa also includes.
Additional improvements include Voice Crunch AI Speech Analytics, which monitors keywords and phrases to identify payment card information disclosed during recorded conversations.
PCI DSS 4.0 Critical Requirements for Call Recording
The PCI Security Standards Council establishes specific requirements for businesses handling payment card information during recorded telephone conversations:
PCI Compliance is categorised into four levels based on transaction volumes over 12 months:
PCI DSS Compliance Requirements
Level 1 companies require yearly on-site reviews and network scans.
Levels 2-4 complete annual self-assessment questionnaires and quarterly network scans.
Reducing PCI DSS Compliance Scope with Modern Payment Solutions
Implementing specialised payment solutions like Agent Assisted Payments can help significantly reduce the scope of your PCI DSS compliance requirements. By keeping cardholder data out of your contact centre environment, these solutions minimise:
Using PCI-compliant payment methods substantially reduces the time, cost, and resources required to complete PCI DSS Self-Assessment Questionnaires.
See how we helped home shopping channel JML with their PCI compliance in this
UK PCI DSS Compliance Glossary: Essential Terms Explained
PCI DSS: Payment Card Industry Data Security Standard. The compliance standard for card payments
SAQ C-VT: Self-Assessment Questionnaire C for businesses using virtual payment terminals
PAN: Primary Account Number. The 12-to-19-digit credit or debit card number
CVV: Card Verification Value. The 3-digit security code on the back of the credit or debit card
CSC: Card Security Code. The 3-digit security code on the back of the credit or debit card
CVN: Card Verification Number. The 3-digit security code on the back of the credit or debit card
CVC: Card Verification Code. The 3-digit security code on the back of the credit or debit card
CNP: Card Not Present. Where the physical credit or debit card is not present on a phone call
DTMF: Dual-Tone Multi-Frequency. Tones that are generated on a phone keypad to mask
CTI: Computer telephony Integration. The linking of a phone system with a computer system
TAPI: Telephony Application Programming Interface. Communicates information from a phone system, for example, by viewing data on incoming calls or indicating the status of extensions
Essential Resources for PCI Compliance