PCI DSS 4.0.1 is the version of the card-data security standard that all merchants processing card payments — including telephone payments — are now required to meet. It became mandatory on 31 March 2025, replacing 4.0. If you're still working to a 4.0 baseline, you're behind.
This guide walks through the four PCI compliance levels (which determine what you actually have to do), what changed for telephone payments in 4.0.1, and where the real commercial argument sits. The full standard documents are on the PCI Security Standards Council site, which is the authoritative source.
Key takeaways
- The four PCI compliance levels are set by your annual card transaction volume — Level 1 is the most demanding, Level 4 the least.
- PCI DSS 4.0.1 has been mandatory since 31 March 2025. The changes most relevant to telephone payments cover MFA, call recording treatment, and network segmentation.
- The commercial argument for getting card data out of your contact centre isn't about risk appetite — it's about dropping from SAQ D (329 controls) to SAQ A (22 controls).
- DTMF suppression and Channel Separation are the two architectures that keep card audio out of your environment entirely, so neither your recordings nor your agents carry PCI scope.
The four PCI compliance levels
The PCI Security Standards Council splits merchants into four levels based on annual transaction volume. Your level determines what validation you have to do and how formal the assessment process looks.
Level 1 — merchants processing more than 6 million card transactions a year. Annual on-site assessment by a Qualified Security Assessor, quarterly network scans, and a formal Report on Compliance (RoC). This is also the level Paytia operates at as a Service Provider.
Level 2 — 1 to 6 million transactions a year. Annual Self-Assessment Questionnaire (SAQ) and quarterly network scans. In practice, most Level 2 merchants use a QSA even though they're not formally required to.
Level 3 — 20,000 to 1 million e-commerce transactions. Annual SAQ and quarterly scans, with focus on the channels where card data is accepted.
Level 4 — fewer than 20,000 e-commerce transactions or up to 1 million total transactions. Annual SAQ and a less formal review process. This is where most small UK businesses sit.
Note: these are the merchant levels set by the card schemes. Service providers (like Paytia) use a different classification, and we sit at Level 1 — the highest. That's part of what lets our customers reduce their own compliance burden.
What 4.0.1 changed for telephone payments
PCI DSS 4.0.1 is an incremental update to 4.0 — the full rewrite was 4.0 itself, released in 2022 and mandatory from March 2024. 4.0.1 sharpened the requirements and added clarifications. For telephone payment environments specifically, the notable changes include:
Multi-factor authentication for access to systems that process cardholder data — this now applies more broadly, including to telephony admin consoles and workforce management tools that can view or export payment data.
Call recording treatment is clearer: any recording that captures sensitive authentication data (including CVV) after the authorisation completes is a control failure. The practical effect is that pause-and-resume recording, which depends on agents remembering to pause, is no longer sufficient in environments where card digits are spoken aloud. Technical masking architectures like DTMF Suppression are the reliable way to meet the requirement.
Network segmentation requirements have tightened — card-handling systems must be demonstrably isolated from the rest of the corporate network, with documented evidence.
Customised approach options give more flexibility in how controls are implemented, provided the objectives are met. This matters mostly for larger merchants whose unique setups didn't quite map to the prescriptive 4.0 requirements.
The summary of changes document on the PCI SSC site is the definitive source if you want the exact wording.
What non-compliance actually costs
Non-compliance penalties aren't set by PCI DSS itself — they flow through your acquiring bank under the terms of your merchant agreement. Typical exposure includes monthly fines (often £2,000 to £80,000 depending on your level and the acquirer), higher per-transaction fees until you're compliant again, and in serious cases, withdrawal of card acceptance.
If a breach actually happens, the cost profile changes significantly. Forensic investigation, card replacement costs, regulatory fines under UK GDPR (potentially 4% of global turnover or £17.5 million, whichever is higher), and the reputational damage that follows. That's before you count the card brand assessments, which can run to six or seven figures for a medium-sized breach.
The point isn't to be alarmist — most breaches don't reach those extreme numbers — but the combination of regulatory, operational, and reputational risk is why the commercial case for getting card data out of your environment is strong.
The SAQ D vs SAQ A argument
This is where the practical commercial thinking happens. The Self-Assessment Questionnaire you have to complete depends on how card data flows through your business.
SAQ D applies when card data enters your systems. 329 controls, covering network segmentation, vulnerability scanning, access controls, secure rooms, pen testing, and annual evidence collection for all of the above. External QSA engagements at this level typically run £25,000 to £80,000 a year plus the internal effort.
SAQ A applies when card data never enters your environment at all. 22 controls, mostly about making sure the payment provider you use is themselves compliant. Internal effort is a tiny fraction of SAQ D, and the external audit cost usually collapses to near zero.
Moving from SAQ D to SAQ A isn't a paperwork exercise — it's an architectural change in how your contact centre handles card data. With pause-and-resume recording, card data still enters your audio stream and your agents' ears, so you're still on SAQ D. With DTMF Suppression or Channel Separation, the card audio never reaches your environment, and SAQ A becomes achievable.
How Paytia fits in
Paytia is a PCI DSS Level 1 certified Service Provider. When our customers take payments through our platform, the card data is processed under our certification, not theirs. For most of our customers, that's what lets them complete SAQ A instead of SAQ D.
The technical architecture is what matters here:
With DTMF Suppression, the call stays continuous and the agent stays on the line. The customer enters their card on the phone keypad, and the keypad tones are intercepted and masked before they reach the agent's audio stream or the call recording. The agent hears a placeholder, the recording captures a placeholder, and the card goes to Paytia's PCI DSS Level 1 infrastructure directly.
With Channel Separation, during the payment step, the customer's audio is temporarily split from the main call and routed to Paytia. A voice assistant guides the customer through entering the card, and when the payment is complete, the call rejoins. The agent never has access to the card audio at any point.
Either approach moves the card handling outside your environment. That's what makes SAQ A possible, and that's what turns PCI DSS compliance from an ongoing operational burden into a once-a-year paperwork exercise.
What to do next
If you're not sure where you stand against 4.0.1, start with the practical questions: Can card digits enter your call recordings under any circumstance? Do agents hear or see card numbers during a normal payment call? Does your telephony vendor have a PCI DSS Level 1 attestation? If the answers to the first two are "yes" and the third is "no", you've got work to do.
We can walk through your current setup and where the easiest gains are. Get in touch and we'll look at your telephony, your recording, and what moving to SAQ A actually looks like for your specific business.
