Call center PCI compliance is one of the most complex areas of PCI DSS conformity because the problem originates in a channel that by nature was not designed for card data security: the telephone. Every time an agent hears a customer's card number, that agent, their workstation, the call recording system and the entire telephone infrastructure enter the CDE perimeter. Precise technical solutions exist to eliminate this problem, without sacrificing the customer experience.
The PCI problem in the call center: the agent who hears the PAN
In MOTO (Mail Order / Telephone Order) payments, the customer verbally communicates the card number to the agent, who enters it into the payment system. This simple scheme creates a massive compliance problem: the agent has direct access to the PAN, the call recording system captures it in plain text, and any system connected to the agent's workstation falls within the CDE. The perimeter to be certified becomes the entire call center.
PCI DSS requirements for a call center handling PANs include physical controls on workstations (no personal phones, no pen and paper), granular access policies, continuous session monitoring, and precise rules on audio recording. Prohibiting call recording during the phase when the PAN is communicated is a requirement, but it is technically difficult to implement reliably without dedicated solutions.
DTMF and IVR: the two technical solutions for telephone payments
The most effective solution for removing the PAN from the agent interaction is DTMF (Dual-Tone Multi-Frequency). With this technology, when it is time to pay, the customer enters the card number using the telephone keypad instead of communicating it verbally. The DTMF tones are captured directly by the telephony system and sent to the tokenisation vault, without ever passing through the audio the agent hears. The call center is removed from PCI scope.
The second solution is IVR (Interactive Voice Response): an automated system that manages the entire payment collection phase without human intervention. The customer is temporarily transferred to the IVR system, enters the card data, and is then reconnected to the agent to complete the assistance. Both solutions can be integrated with PCI Proxy EU via standard APIs compatible with leading telephony and contact-center-as-a-service systems.
How PCI Proxy EU removes the call center from PCI scope
The integration of PCI Proxy EU into the MOTO flow works as follows: when the agent initiates a transaction, the system generates a secure payment session. The customer enters the card number via DTMF or IVR; the tones are intercepted and sent directly to the PCI Proxy EU vault, which returns a token. The agent sees only the token in their interface: they never have access to the real PAN.
The practical result is that the call center, agent workstations, call recording systems and telephone infrastructure exit the PCI DSS perimeter. Only the PCI Proxy EU vault remains in scope, which is certified PCI DSS Level 1. For the business, this means less documentation, fewer controls, lower compliance costs, with the same operational capacity to accept telephone payments.
Frequently asked questions
Is call recording always prohibited in the PCI scope?
It is not prohibited outright, but PCI DSS requires that sensitive authentication data (including CVV and track data) never be recorded, not even in audio form. If the recording captures the moment when the customer communicates the card number, that recording is out of compliance. With DTMF, the tones are eliminated from the audio stream before they reach the recorder, making full recording possible and compliant.
Does DTMF work with freephone numbers?
Yes. DTMF is a standard telephony protocol compatible with any telephone infrastructure, including freephone numbers and VoIP systems. Implementation requires the telephony provider to support DTMF tone decoding and pass them to the PCI Proxy EU system. Most modern contact-center-as-a-service solutions support this functionality natively.
How long does it take to integrate a DTMF solution?
Timescales vary depending on the existing telephone infrastructure. In a cloud contact center environment (such as Genesys, Twilio, Amazon Connect), integration with PCI Proxy EU typically takes 2 to 4 weeks from development through testing to go-live. On more legacy on-premise telephony systems, timescales may extend to 2–3 months due to integration complexity.
Want to eliminate PCI risk from your call center's telephone payments? Discover PCI Proxy EU.