A call centre taking card payments is one of the messier environments in the payments world. Card numbers arrive as spoken digits or keypad tones, they pass through agents' ears and screens, call recordings capture them by default, CRM tickets hold the conversation context, and quality assurance listens to all of it for training. Every one of those surfaces is a place where card data can leak, and every one of them shows up in a PCI DSS audit.
This guide walks through what actually causes the exposure, what the two main technical architectures do about it, where the common half-measures fall down, and what to look at when you're choosing a vendor. For the sector view, see our contact centres page; for foundational PCI background, the PCI compliance levels post is a sensible companion read.
Key takeaways
- Call centre payment exposure comes from multiple surfaces at once — audio, recordings, screens, CRM, agent memory. A fix that only covers one of them isn't a fix.
- The two real architectural answers are DTMF suppression (mask the keypad tones) and Channel Separation (route the payment on a separate audio channel).
- Pause-and-resume recording is common, widely used, and widely broken in practice — agents forget, and every missed pause is a PCI violation.
- Keeping card data out of your environment entirely moves you from SAQ D (329 controls) to SAQ A (22 controls). That's the real commercial argument.
- Staff training matters as much as technology — agents have to understand why they can't write card numbers on a sticky note.
Where the exposure actually comes from#
It's worth being precise about the surfaces, because vendors often sell a fix for one of them and call the job done.
Audio. The most obvious one. When a customer reads out their card number, the agent hears it, and if the call is recorded, so does anyone with access to the recording — QA staff, training teams, sometimes marketing analytics, occasionally whoever's left the recordings on a shared drive.
Call recordings. Even if agents never repeat the number, the recording itself is the card data. Call recording systems back up by default. Back-ups replicate to cold storage. Every copy is in PCI DSS scope until it's deleted — which is rarely done cleanly.
Agent screens. The customer's PAN might be typed into a web form, a CRM field, or pasted into a note. The desktop then sits in scope, often joined to a domain, often backed up, often screen-recorded for QA.
CRM records. Even partial card data — the last four, expiry dates — can linger in case notes, email threads and customer history. PCI DSS has rules about what you can and can't store; most teams don't know them and their CRM doesn't enforce them.
Agent memory and habit. This one's easy to underestimate. Agents who handle hundreds of card payments a week develop routines. A sticky note with "card on file" next to a customer name. A spreadsheet tracking recurring payments. These are the incidents that end up in breach reports.
DTMF suppression and Channel Separation#
Two architectures do real work here, and they solve slightly different shapes of the same problem.
DTMF suppression keeps the call on one audio channel but intercepts and masks the keypad tones as they're sent. The agent hears flat noise or a placeholder sound instead of the actual digits. The recording captures the masked audio, not the card. Agents stay on the call throughout, which is the key advantage: the conversation doesn't break, and training is minimal because the customer experience barely changes.
Channel Separation splits the call. During the payment step, the customer is temporarily moved onto a separate audio channel that goes to Paytia rather than to the agent. A voice assistant guides them through entering the card. Once the payment is done, the call rejoins. The agent is aware of the split but doesn't hear any of it. This is the architecture that gives you the cleanest PCI scope — the card audio literally doesn't pass through your systems at any point.
Which one fits depends on your telephony setup, your agent training tolerance, and how much of your business runs through recorded calls. We've put together a side-by-side comparison if you're weighing them up.
Why pause-and-resume isn't the answer most people think it is#
The common half-measure in call centres that haven't moved to DTMF suppression or Channel Separation yet is pause-and-resume recording. The agent hits a button on their desktop at the start of the payment step, the call recording stops, the customer reads their card, the agent hits another button, recording resumes.
On paper, the card isn't in the recording. In practice, the card is in the agent's ears, in the agent's memory if they write it down, and on the CRM screen while they key it in. The recording is one surface, not the whole story.
The other problem is that agents forget. We've seen internal audits where 4-7% of payment calls have the pause missing entirely and the full card number sitting in the recording. At that failure rate, the control isn't working, and the PCI assessor will say so. Pause-and-resume looks cheap until you're explaining to your auditor why the last 18 months of call recordings need to be quarantined and reviewed.
PCI DSS scope — where the real cost lives#
The commercial argument for getting card data out of your call centre entirely is not about risk appetite, it's about audit scope. PCI DSS has different Self-Assessment Questionnaires depending on how card data flows through your business.
SAQ D — the one you end up on when card data touches your systems. 329 controls. Covers network segmentation, vulnerability scanning, secure rooms, access controls, annual pen testing, and ongoing evidence collection for all of the above. Typical external QSA engagement costs £25,000–£80,000 a year on top of the internal effort.
SAQ A — the one you reach when card data never enters your environment. 22 controls. Mostly about ensuring you're using a compliant provider and your website can't be tampered with to redirect to a fake payment form. Internal effort is a tiny fraction of SAQ D, and the external audit cost often drops to near zero.
That's the actual return on descoping. It's not "more secure" in an abstract sense; it's a smaller, cheaper, more tractable compliance footprint.
What to look for in a vendor#
A few things worth checking directly rather than taking on trust from the brochure.
Where does the card audio actually go? With DTMF suppression, the tones must be masked before they hit your recording system, not after. "We mark the audio as masked in the recording" isn't masking. With Channel Separation, the customer's audio during the payment step must leave your telephony completely; if it's still passing through your SBC, your SBC is in scope.
What's the vendor's own PCI certification? PCI DSS Level 1 Service Provider is the bar. Anything less and you're still doing the audit heavy lifting yourself.
What happens if the masking fails mid-call? Good vendors fail safe — they'll drop or redact rather than pass card audio through in plain. Ask for the documented failure mode.
How does it handle the customer experience when something goes wrong? A failed card, a wrong digit, a customer who needs to start again. The flow has to handle these without falling back to "read it out to the agent, we'll key it in ourselves."
What's in the audit trail? Timestamped entries for every payment attempt, success or failure, with enough detail to reconstruct what happened months later. The agent's identity, the amount, the outcome, the reference codes from your gateway.
Frequently asked questions#
What's the difference between DTMF masking and DTMF suppression?
They're the same thing in practice — both describe a technology that prevents the agent from hearing the keypad tones when a customer enters their card. "Suppression" is the more technically accurate term; "masking" is the one that's stuck in the industry vocabulary. Paytia's product is branded DTMF Suppression; customers often call it masking. Both refer to the same mechanism.
Do agents stay on the call during the payment?
With DTMF Suppression, yes — the call stays continuous and the agent can still talk the customer through each step, they just can't hear the digits. With Channel Separation, the agent stays connected to the call but the customer is temporarily routed elsewhere for the payment itself. In both cases the conversation resumes naturally once the payment is done.
Will this affect the quality of call recording for QA?
QA still works fine — the recording captures everything except the payment step. For most call centres that's actually an improvement, because QA teams were either dealing with masked audio already (via pause-and-resume) or quietly ignoring PCI rules about recording access. With a proper architecture, QA sees the full call minus the payment, which is exactly what they need.
How long does this take to deploy?
Depends on your setup. A straightforward SIP trunk integration is usually a few days of configuration and testing. If you're integrating with a contact centre platform, wiring into a CRM, or rolling out across multiple sites with different telephony vendors, it's longer. We scope the timeline with you up front.
What about remote and work-from-home agents?
This is where DTMF Suppression and Channel Separation pay for themselves twice. Pause-and-resume in a home office relies on an agent who may not have the IT setup, the privacy, or the discipline to do it consistently. A technical masking architecture doesn't depend on agent behaviour, so remote agents are no more exposed than office-based ones.
If you'd like to see how the flow looks for your specific setup, get in touch — we'll talk through your telephony, your recording, and where the cleanest answer lies.
