PCI-DSS

PCI-DSS (Payment Card Industry Data Security Standard) is the security standard that governs how organizations handle credit and debit card data. Any business that collects, processes, or stores cardholder data — including over the phone — falls within its scope. Non-compliance risks fines and the loss of card-processing privileges.

The phone channel problem

Taking a card number by voice is risky: the number can end up in a call recording, a transcript, or an agent's notes — all of which then fall under strict PCI controls. The goal of compliant design is to minimize PCI scope so that sensitive card data never enters systems that would otherwise need to be audited.

How AI voice agents stay compliant

• DTMF capture: the caller types the card number on the keypad; the tones are masked and routed straight to the payment processor, never spoken aloud or recorded.
• Pause-and-resume recording: recording and transcription pause automatically during card entry.
• Pay-by-link: the agent captures the order and sends a secure SMS or email payment link, keeping card data entirely off the voice channel.
• Tokenization: store a token from the processor, never the raw PAN.

The safest pattern is to keep card data off voice altogether — which is why many AI agents default to pay-by-link for payments.