PCI DSS 4.0 has been mandatory since March 2025. If your business takes card payments by phone, pay-by-link or web — or you run a UK contact centre that handles card data — this checklist helps you work out exactly what's required and where your gaps are likely to be.
Free PDF — sent to you immediately.
PCI DSS 4.0 became the only valid version of the standard in March 2025. If you're still working to an older framework, you're already out of step — and your next QSA assessment will reflect that.
Card data captured over the phone has always been in scope for PCI DSS, but 4.0 tightens the rules around how you protect it during a call. DTMF masking, agent-assisted capture and pay-by-link each carry their own requirements.
Many businesses assume they qualify for a simple Self-Assessment Questionnaire. Whether you do — and which one — depends on how your cardholder data environment is structured. Getting it wrong means your compliance status may not hold up under scrutiny.
Actionable checks structured so you can work through them with your compliance lead, IT team or QSA — not just read once and file away.
If you'd rather walk through your compliance position with someone who knows the standard, book a call with our team. We work with UK contact centres and businesses taking phone payments every day.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia