Secure Payments for Contact Centres

Why card-in-the-clear is the worst outcome

If a customer reads their 16-digit card number out loud and an agent types it into a CRM, you've just turned every desktop, headset, recording server, and screen-share session in your contact centre into part of your cardholder data environment. That's the worst place to be. Your PCI scope balloons, your audit gets longer and more expensive, and one phished agent or a misconfigured call recorder can turn into a notifiable breach. The whole job of a modern contact centre payment design is to stop card data ever reaching that environment in the first place.

The three architectures, and what they actually cost you

There are three approaches that genuinely descope a contact centre. The first is DTMF masking — the customer keys their card number on their handset during a live call, the tones are flattened to a flat tone before they reach the agent or the recording, and the digits go straight to the payment gateway. The agent stays on the line, the call is never paused, and recordings stay continuous. Operationally this is the lightest option: agents need almost no retraining, AHT barely moves, and your existing telephony continues to work.

The second is channel separation — the customer is moved out of voice into a payment link, an IVR, or a secure web form for the card-entry step, then back to voice. It works, but it adds a hop, fails more often on mobile, and tends to push completion rates down. It's most useful when an agent is on a non-PCI channel like web chat and you need to bolt on a payment.

The third is pause-and-resume of call recordings while the agent types the card. This was common a decade ago and is still sold today. It does not actually descope you — the agent and the desktop hear and handle live card data even when the recorder is paused, so the agent's PC, headset, and physical workspace stay in scope. Auditors increasingly treat it as a controls-only mitigation, not a descoping measure.

What PCI scope looks like under each

With DTMF masking done properly, agents and recorders are out of scope and your SAQ shrinks dramatically — most contact centres move from SAQ D to SAQ A or A-EP territory. Channel separation gives you a similar scope outcome for the payment channel, but only if your handoff back to voice doesn't reintroduce card data. Pause-and-resume keeps you on SAQ D in nearly every honest assessment we've seen.

Recommendations by team size

For teams under 20 agents, agent-assisted card payments with DTMF masking are usually the cheapest end-state — small enough to roll out in a few weeks, low enough touch that retraining is minimal. For 20-200 agents, the same architecture pays back fastest because the audit savings are larger and the agent training is still manageable. For multi-site, multi-vendor estates — typical of contact centres and telecom operators — masking has to be designed in at the SBC or carrier layer rather than the desktop, otherwise you end up with a per-seat licence cost that scales badly. In every case, if a vendor is selling you pause-and-resume as a descoping product, push back hard.

For the full feature set behind these recommendations, see our PCI DSS v4 solution.