UK businesses taking card payments over the phone operate at the intersection of several distinct regulatory frameworks. Each has its own requirements, its own enforcement body, and its own penalties for non-compliance. None of them are optional, and none of them can be addressed in isolation — the choices you make to satisfy one framework affect your obligations under the others.
The three main frameworks are PCI DSS (the payment card industry's own standard), FCA regulation (which governs payment services and consumer protection), and UK GDPR with the Data Protection Act 2018 (which governs how personal data — including payment data — is handled). On top of those, there are specific call recording rules and consumer protection legislation that apply to telephone transactions.
This guide works through each one and explains what they mean in practice for a business taking card payments over the phone.
Key takeaways
- UK businesses taking card payments by phone must comply with PCI DSS, FCA rules (where applicable), and GDPR.
- GDPR applies to payment card data — it's personal data, and a breach triggers GDPR notification obligations.
- Recording calls without consent is illegal in the UK — and recording card data compounds the compliance risk.
- The FCA doesn't regulate PCI DSS directly, but payment firms under FCA authorisation must maintain adequate security.
PCI DSS Requirements for Telephone Payments#
PCI DSS is the foundational compliance requirement for card payments. It's set by the Payment Card Industry Security Standards Council, backed by the major card schemes, and enforced through your merchant agreement with your acquiring bank. Version 4.0.1, which became mandatory in March 2025, includes specific provisions for telephone payment environments.
The central issue for phone payments is where card data goes during a transaction. When a customer reads their card number to an agent, the data passes through your telephony system, your agent's workstation, and your payment processing infrastructure. Every system that touches that data — including call recording platforms — falls within your PCI cardholder data environment and must meet the relevant requirements.
PCI DSS 4.0.1 added explicit requirements around DTMF tones. If your telephony system logs raw audio including keypress tones, those logs may contain card data entered via keypad, and they must be treated under the same controls as other cardholder data. This catches out businesses that assumed keypress-based entry was automatically safe — it's only safe if the DTMF tones are actively suppressed before they can be captured.
The standard also addresses call recordings directly. Sensitive authentication data — including the CVV/CVC — must not be stored post-authorisation. If your call recordings capture a customer reading out their CVV, those recordings contain sensitive authentication data and must either have the CVV portion redacted or be handled under strict access and retention controls.
Which Self-Assessment Questionnaire you need to complete depends on how you handle card data. Businesses where agents take card numbers verbally and enter them into systems typically need SAQ D, which runs to around 329 requirements. Those that have moved to DTMF-based capture systems — where card digits go directly to a certified payment processor without passing through the agent or internal network — can often qualify for a shorter questionnaire, because their scope is genuinely reduced.
Financial Conduct Authority Regulation#
The FCA's role in telephone payments depends on the nature of your business. If you're a payment service provider, an e-money institution, or an FCA-authorised firm offering financial services, you're directly regulated. If you're a retailer or service business accepting card payments, you're not directly regulated by the FCA — but you operate within a framework that the FCA shapes, through the payment institutions that process your transactions and through consumer protection law.
The Consumer Duty, which the FCA introduced in 2023, requires firms in financial services to deliver good outcomes for retail customers. For businesses in scope, this extends to the payment process: customers should understand what's happening when they pay, the process should be clear and fair, and there should be no unnecessary barriers or confusion.
Strong Customer Authentication is a direct FCA requirement under the Payment Services Regulations 2017. It mandates two-factor authentication for most electronic payments. MOTO transactions — telephone orders — carry a specific exemption, because the customer is initiating the payment in a live telephone conversation rather than through an electronic interface. But that exemption isn't a free pass: it comes with an expectation that other fraud controls are in place, and acquirers may impose their own requirements on top of the regulatory minimum.
For businesses selling financial products over the phone — insurance, credit, investments — additional FCA requirements apply. The sales conversation itself, including the payment stage, must meet the standards set in the relevant FCA sourcebooks. Payment processes for these businesses need to be reviewed against their specific FCA permissions and the applicable conduct rules.
UK GDPR and Data Protection#
Card data is personal data. The card number, the cardholder name, the expiry date — all of these identify an individual and are subject to UK GDPR and the Data Protection Act 2018. The ICO enforces these rules and can issue fines of up to £17.5 million or 4% of global annual turnover for serious violations.
Data minimisation is the principle that you should only collect and hold what you genuinely need. For telephone payments, this means that card data should be used to process the transaction and not retained beyond what's necessary. If your call recording system is storing recordings containing spoken card numbers, you're retaining card data for the duration of those recordings — typically months or years. That requires a clear lawful basis, appropriate security controls, and a defensible data retention policy.
Purpose limitation means that data collected for one purpose shouldn't be used for another. Card details taken to process a payment shouldn't end up in marketing databases or used for analysis beyond fraud detection and transaction processing. This might seem obvious, but it's worth checking that your CRM, telephony platform, and any third-party tools you use don't inadvertently repurpose payment data.
Accountability under UK GDPR requires you to be able to demonstrate compliance — not just claim it. That means documented data flow maps showing where payment data goes, records of your processing activities, and data protection impact assessments for higher-risk processing. If the ICO investigates a complaint, documentary evidence of your compliance procedures matters significantly.
UK firms juggle FCA rules, GDPR and card scheme requirements as part of everyday payment compliance.
Third-party data processors — cloud platforms, telephony providers, call recording services — that handle personal data on your behalf must operate under data processing agreements that meet UK GDPR requirements. If your telephony provider stores call recordings containing card data, they're a data processor and need to be contracted accordingly.
Call Recording Rules#
Businesses can record calls for legitimate business purposes under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, without seeking consent each time, provided they inform customers that calls may be recorded. The notification requirement is why "this call may be recorded for training and quality purposes" has become a fixture of business telephone systems.
When payment data is involved, the notification obligation becomes more pointed. A customer who's told their call may be recorded should understand what that means for their card details. Businesses that record calls routinely should consider whether their standard notification adequately describes what happens to payment data — and whether that's consistent with their UK GDPR transparency obligations.
The pause-and-resume approach — manually stopping the recording while the customer reads card details — is widely used but unreliable. When agents forget to pause, card details enter the recording archive. A single forgotten pause creates a compliance incident. Technical solutions that prevent card data from reaching the audio channel at all — such as DTMF masking, where the customer enters card digits via keypad and the tones are suppressed before they can be recorded — are more reliable than procedural controls that depend on agent behaviour.
Consumer Contracts and Payment Rights#
The Consumer Contracts Regulations 2013 govern distance selling, including telephone orders. Before payment is taken, customers must receive clear information about the goods or services, the total price, any additional charges, and the cancellation rights that apply. These aren't just recommendations — they're legal requirements, and non-compliance can affect the enforceability of the contract and trigger regulatory action.
Cancellation rights for telephone orders depend on what's being sold. Goods ordered by phone typically carry a 14-day cooling-off period. Services may have different rules, and some categories — certain financial products, personalised goods, perishables — have exemptions. If you're taking telephone payments for a range of products or services, you need clear policies for each category and agents who understand what they're communicating to customers.
The Consumer Rights Act 2015 provides broader protection against unfair terms and trading practices. Telephone payment processes shouldn't include pressure tactics, misleading statements about security, or practices that create an unfair imbalance between the business and the customer. This overlaps with the FCA's Consumer Duty requirements for regulated businesses.
How These Requirements Connect#
The overlapping nature of these frameworks means that a single decision — such as how to handle call recordings — has implications across multiple regulatory areas simultaneously. A call recording containing a card number is a PCI DSS problem (sensitive authentication data), a UK GDPR problem (personal data needing protection), and a practical call recording compliance problem (the customer was told calls may be recorded, but may not have understood this extended to their payment data).
Solving the recording problem once addresses all three. If card data never enters the audio channel — because the customer enters it via keypad and the DTMF tones are suppressed — there's nothing to redact, nothing to secure in the archive, and nothing to explain to the customer about how their data was handled. The compliance surface area shrinks considerably.
Paytia is built specifically for this. Our Secure Virtual Terminal and DTMF masking infrastructure mean that card data bypasses the agent and the call recording entirely. Because we're a PCI DSS Level 1 certified Service Provider, the card data processing sits under our certification rather than yours. Your PCI scope reduces, your UK GDPR data minimisation obligations are easier to satisfy, and your call recording process becomes genuinely clean.
If you're not certain where your telephone payment process currently stands against these requirements, get in touch. We can work through your current setup and help you identify what needs to change.
