The regulatory landscape for telephone payments in the United Kingdom is shifting more rapidly than at any point in the past decade. Businesses that collect card payments over the phone — whether through contact centres, small office teams, or individual agents — face a convergence of new requirements from multiple regulators, each with different objectives but overlapping consequences for how payments are handled, recorded, and secured.
This article examines the key regulatory changes taking effect in 2026 and what they mean in practice for any organisation that processes telephone payments. From the full enforcement of PCI DSS 4.0.1 to the Financial Conduct Authority's Consumer Duty obligations, and from GDPR's increasingly strict position on call recordings to the emerging challenge of AI-generated voice fraud, the compliance picture is becoming significantly more complex.
PCI DSS 4.0.1: The Compliance Deadline That Changes Everything
The Payment Card Industry Data Security Standard version 4.0.1 became mandatory on 31 March 2025, replacing the previous version 3.2.1 that had been in effect since 2018. While 2025 marked the formal transition date, many of the standard's most demanding requirements were designated as "future-dated" — meaning they became enforceable from 31 March 2025 onwards. For organisations that delayed their preparations, 2026 represents the first full year of compliance under the new regime, and the first year in which assessors will expect complete adherence to every requirement.
What has changed for telephone payments
PCI DSS 4.0.1 introduces several changes that directly affect how businesses handle card data during phone calls. The most significant shift is the emphasis on a "customised approach" to compliance, which allows organisations to meet security objectives through alternative methods rather than following prescriptive controls. In theory, this provides flexibility. In practice, it demands a deeper understanding of risk and more rigorous documentation.
Requirement 3, which governs the protection of stored account data, has been substantially expanded. For telephone payment environments, this means that any system that could potentially capture or retain card data — including call recording platforms, CRM systems, screen recording tools, and telephony infrastructure — must be explicitly assessed and documented within the organisation's cardholder data environment. The days of assuming that a system is out of scope simply because it was not designed to store card data are over.
Requirement 8 now mandates multi-factor authentication for all access to the cardholder data environment, not just remote access. For contact centre agents who access payment systems, this means additional authentication steps that must be integrated into daily workflows without creating unacceptable delays for customers waiting on the line.
Perhaps most critically for telephone payment environments, Requirement 12.3.2 requires organisations to perform a targeted risk analysis for each PCI DSS requirement where flexibility is exercised. Every control that differs from the defined approach must be supported by a formal risk assessment demonstrating that the alternative provides at least equivalent security. For businesses relying on bespoke telephone payment processes, this creates a significant documentation burden.
The practical impact
The net effect of PCI DSS 4.0.1 for telephone payments is clear: maintaining card data within your telephony environment has become substantially more expensive and complex. Organisations that previously managed compliance through careful scoping and compensating controls now face a higher bar. The most effective response — and the one recommended by Qualified Security Assessors across the industry — is to remove card data from the telephone environment entirely.
Technologies such as DTMF masking achieve exactly this. By allowing customers to enter their card details using their telephone keypad while suppressing the tones so that they cannot be heard or recorded, DTMF masking removes card data from the call, the recording, the agent, and the telephony infrastructure simultaneously. The result is a dramatically reduced PCI scope and a far simpler path to compliance under the new standard.
FCA Consumer Duty: A New Standard for Payment Experiences
The Financial Conduct Authority's Consumer Duty, which came into force for new and existing products in July 2023 and extended to closed products in July 2024, represents the most significant shift in UK financial regulation in over a decade. While it does not specifically target telephone payments, its principles have profound implications for how payment processes are designed and operated.
The four outcomes that matter
Consumer Duty is built around four outcomes: products and services, price and value, consumer understanding, and consumer support. Each of these intersects with telephone payment processes in ways that many businesses have not yet fully considered.
The consumer support outcome requires that customers can contact firms through the same channels used for purchasing. If a customer purchased a product or service over the phone, they must be able to get support and make payments through that same channel without undue friction. This directly challenges the practice of forcing telephone customers to complete payments through a different channel — such as redirecting them to a website — simply because it is easier for the business to manage compliance.
The consumer understanding outcome requires that communications about payment processes are clear and not misleading. When a customer is asked to enter card details during a phone call, they must understand what is happening to their data, how it is being protected, and what their rights are. Vague reassurances about security are insufficient; firms must provide clear, specific information.
The price and value outcome has implications for surcharges and fees associated with different payment methods. If a business imposes additional costs for telephone payments compared to online payments, it must be able to demonstrate that this pricing is fair and provides reasonable value to the customer.
What the FCA expects in practice
The FCA has made clear that Consumer Duty is not a box-ticking exercise. Firms are expected to continuously monitor customer outcomes and take action when those outcomes fall short. For telephone payment processes, this means tracking metrics such as payment completion rates, customer complaints related to payment experiences, average handling times for payment calls, and instances where customers abandon calls during the payment stage.
Firms that identify problems — for example, a high rate of payment abandonment during telephone transactions — are expected to investigate the root cause and take remedial action. If the payment process itself is creating friction or confusion, Consumer Duty requires the firm to fix it, not simply document it.
GDPR and Call Recordings: The Tightening Grip
The General Data Protection Regulation has always had implications for call recordings that capture card payment data, but enforcement priorities and regulatory guidance have evolved significantly. The Information Commissioner's Office has become increasingly active in examining how businesses handle personal data within call recordings, and the intersection with payment card data creates a particularly high-risk area.
The dual classification problem
When a customer reads their card number aloud during a phone call and that call is recorded, the resulting audio file contains both personal data (under GDPR) and cardholder data (under PCI DSS). This dual classification creates overlapping and sometimes conflicting obligations. GDPR requires a lawful basis for processing the data and grants the data subject rights including erasure. PCI DSS requires that stored cardholder data be protected with specific technical controls and, in many cases, not stored at all.
The practical challenge is that many businesses record calls for quality assurance, training, dispute resolution, and regulatory compliance — all legitimate purposes under GDPR. However, if those recordings capture card numbers, CVV codes, or other sensitive authentication data, the business has inadvertently created a store of cardholder data that falls within PCI DSS scope and GDPR's enhanced protections for sensitive processing.
The ICO's evolving position
Recent ICO guidance has emphasised the principle of data minimisation — collecting only the personal data that is strictly necessary for the stated purpose. For call recordings, this raises a direct question: if the purpose of recording is quality assurance or training, is it necessary to record the portion of the call where card details are provided? In most cases, the answer is no.
The ICO has also reinforced the requirement for Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to individuals. Recording telephone payment conversations — where sensitive financial data is captured alongside personal identifiers — almost certainly meets this threshold. Businesses that have not conducted a DPIA for their telephone payment recording practices are exposed to regulatory action.
The solution: stop recording card data
The most effective way to resolve the tension between call recording requirements and data protection obligations is to ensure that card data never enters the recording in the first place. Pause-and-resume systems — where the recording is manually stopped before the customer provides card details and restarted afterwards — have been used historically, but they are unreliable and create compliance gaps when agents forget to pause or resume.
Automated solutions such as DTMF masking eliminate this problem entirely. Because the customer enters their card details via their keypad and the DTMF tones are suppressed before they reach the recording system, the call can be recorded continuously without ever capturing card data. This satisfies both GDPR's data minimisation principle and PCI DSS's restrictions on storing sensitive authentication data.
AI Voice Fraud: The Emerging Threat
Perhaps the most significant new challenge facing telephone payment security is the rapid advancement of AI-generated voice technology. What was a theoretical concern two years ago has become a practical threat that is already resulting in financial losses for businesses and consumers alike.
How AI voice fraud works
Modern AI voice cloning technology can create a convincing replica of a person's voice from as little as three seconds of audio. For telephone payment fraud, this capability opens several attack vectors. A fraudster could clone a customer's voice to authorise payments over the phone, particularly with businesses that use voice-based identity verification. They could impersonate a senior employee to instruct staff to process payments or change payment details — a sophisticated evolution of the "CEO fraud" attacks that have cost UK businesses hundreds of millions of pounds.
The technology is advancing at an extraordinary pace. Real-time voice conversion — where a fraudster speaks naturally and AI transforms their voice into that of the target in real time — is already commercially available. Detection tools exist but are engaged in an arms race with generation technology, and no detection system is currently reliable enough to be used as a sole security control.
Implications for telephone payment verification
Businesses that rely on voice-based verification for telephone payments — whether formal voice biometrics or informal recognition by agents who know regular customers — must reassess the security of these approaches. Voice alone can no longer be considered a reliable authentication factor.
This does not mean telephone payments are inherently insecure, but it does mean that the authentication model must evolve. Multi-factor approaches that combine something the caller knows (such as account details or security questions) with something they have (such as a registered mobile device for receiving one-time codes) provide substantially better protection than voice recognition alone.
How secure payment technology helps
Secure telephone payment solutions provide a critical layer of defence against AI voice fraud. When card details are entered via DTMF keypad tones rather than spoken aloud, the authenticity of the caller's voice becomes irrelevant to the payment transaction itself. The payment is authenticated through the card network's own verification processes — including 3D Secure where supported — rather than through any voice-based check.
This separation of the payment authentication from the voice channel is an increasingly important security principle. Even if a fraudster successfully impersonates a customer's voice to reach an agent, they cannot complete a payment without possessing the actual payment card and passing the card network's authentication requirements.
What Businesses Should Do Now
The convergence of PCI DSS 4.0.1 enforcement, FCA Consumer Duty obligations, GDPR scrutiny, and AI voice fraud threats creates an environment where inaction is the riskiest strategy of all. Here is a practical roadmap for businesses that process telephone payments.
Conduct a comprehensive scope assessment
Map every system, process, and person that comes into contact with card data during telephone transactions. Under PCI DSS 4.0.1, this assessment must be more thorough than ever, including systems that might incidentally capture card data — call recordings, screen captures, CRM notes, and workforce management tools. Document the scope and review it at least annually.
Evaluate your call recording practices
Review how call recordings are handled in relation to both PCI DSS and GDPR. If recordings contain card data, assess whether this is necessary and proportionate. Conduct or update your DPIA for telephone payment recording. Consider implementing technology that prevents card data from entering recordings in the first place.
Review your Consumer Duty compliance
Assess your telephone payment process against the four Consumer Duty outcomes. Are customers receiving clear information about how their payment data is handled? Is the payment process creating unnecessary friction or confusion? Are you monitoring customer outcomes and acting on the findings?
Address AI voice fraud risks
Review your authentication procedures for telephone transactions. If voice recognition — whether formal biometrics or informal agent recognition — plays a role in authorising payments, implement additional authentication factors. Train agents to be aware of voice cloning technology and establish procedures for verifying unusual or high-value payment requests through independent channels.
Consider descoping your telephone environment
The single most effective step a business can take is to remove card data from its telephone environment entirely. Solutions such as DTMF masking and secure payment links allow customers to provide their card details through secure channels that bypass the telephony infrastructure, the call recording, and the agent. This approach simultaneously addresses PCI DSS scope reduction, GDPR data minimisation, and protection against AI voice-based attacks.
The Regulatory Direction of Travel
Looking beyond 2026, the direction of travel is unmistakable. Regulators across all relevant domains — payment security, financial conduct, and data protection — are converging on a common theme: businesses should handle as little sensitive customer data as possible, and where handling is unavoidable, the protections must be robust, documented, and continuously monitored.
For telephone payments, this means the era of agents hearing and handling card details is drawing to a close. Not because regulators have banned it outright, but because the compliance burden of maintaining such practices is becoming prohibitive relative to the available alternatives. Businesses that invest in secure telephone payment technology now are not just meeting today's requirements — they are positioning themselves for a regulatory environment that will only become more demanding.
The organisations that will navigate this transition most successfully are those that view compliance not as a cost to be minimised but as an opportunity to build customer trust. When a business can tell its customers that their card details are never heard, seen, or recorded by any person or system during a telephone payment, that is a powerful message — one that regulators, customers, and business partners increasingly expect to hear.