Most businesses believe they’re PCI compliant. I can’t tell you the number of times a customer has confidently told me, “Oh yes, we’re compliant,” only to find that they actually aren’t. Here’s the thing: back in the day, PCI compliance was simple. What you did five years ago probably was enough. But the rules have changed — and if you haven’t updated your processes accordingly, there is a high chance that you could be exposing your customers’ card data every time you pick up the phone.
I’ve been working in communications and connectivity for years, and I can assure you that one of the biggest challenges I’ve faced is customers believing they’re PCI compliant when they’re not. Also, the Payment Card Industry Data Security Standard (PCI DSS) evolved again in early 2024, which introduced new requirements for proof, automation, and call security.
In this article, I’ll break down what those changes mean for your business, where most organisations are getting it wrong, and the simple steps you can take to protect your customers — and your reputation — when handling payments over the phone.
In March 2024, everything changed: now, the regulations require you to actually prove that you’re compliant. You have to show, with stats and security data, that your systems are genuinely secure and that customer information is never stored, recorded, or retrievable in any way.
The bottom line is that if your call recording solution doesn’t automatically remove that part of the call from the network — and I’m talking completely off-network — you’re not PCI compliant. In other words: if you can’t prove it, you’re not compliant.
The updated standards are all about evidence. Businesses must now demonstrate how they handle data securely. Simply saying “yes, we’re compliant” is no longer going to cut it. You have to prove how your system works to keep that payment information off the grid.
That’s exactly what solutions like Secure Call do: they allow you to show that data can’t be recorded, stored, or tracked. When a customer reads out their card details, the call is instantly transferred away from your network to a separate, secure environment. The customer enters their details directly, which not only keeps your business compliant but also eliminates human error (at least where your agents are concerned). All in all, the sensitive part of the call doesn’t exist on your recording, which means it can’t be tracked or hacked.
That’s the key difference: the payment details are never on your system. They’re completely out of your hands and securely handled elsewhere.
Cyber security is no longer just a buzzword, but something you see everywhere: whether it’s a phishing scam, data breach, or ransomware attack, there seems to be a new headline every day. But hardly anyone talks about phone calls. And that’s exactly why so many businesses overlook voice payments. They assume that because there’s a friendly voice on the other end, all is well. After all, if your bank rings you and asks you to confirm your details, surely you could trust it, right? (No, my friend, you cannot).
You see, the reality is that phone transactions are just as risky as online ones (if not more so) because they involve humans. Humans who are prone to making mistakes, like taking down your details incorrectly or forgetting to stop the recording when you read out your details.
Even big companies fall into this trap. They’re so focused on email filters and endpoint protection that they forget that their phones are entry points into the business as well. In fact, ten years ago, the easiest way to hack into a business wasn’t through phishing. It was through the voicemail system on a desk phone. Four-digit PINs were all it took to rack up massive call bills or access sensitive data. The point is, phones have always been a target — and in many ways, they still are.
I’m not exaggerating either. I’ve seen it happen. I once visited a client, a service provider in central London working on behalf of local councils. They had their own call centre. When we reviewed their process, we discovered recorded calls where you could hear customers reading out their full card numbers. On top of that, agents had notepads on their desks with card details written down. It sends chills down my spine just thinking about it.
Even businesses that try to be compliant often get it wrong. Some implement “mute” buttons to pause recording when taking card details — but agents forget to press them. Others use DTMF (where customers enter card numbers via their phone keypad), but if the system doesn’t pick up the tones correctly, it doesn’t work, customers get frustrated, and agents end up taking the details verbally anyway.
None of that is secure, nor does it meet today’s compliance standards.
PCI compliance is constantly evolving. At first, this was around the increasing cyber threats, and now the next wave is all about automation and AI. Soon, we’ll see zero-touch payment processes, where customers enter their details through secure apps or voice bots, completely removing agents from the transaction. It’ll be seamless, secure, and automatic — and it’s already starting to happen.
This means greater protection for customers and less room for human error. But for now, the best thing any business can do is take complete control. Understand your risks, put the right systems in place, and make sure you can prove compliance at any given moment.
Most businesses still believe they’re compliant because they once were. But times have changed. What worked five years ago won’t meet today’s standards. If you’re taking payments over the phone, “probably compliant” isn’t enough: you have to prove it, otherwise you aren’t.
I’ve seen how quickly a lack of awareness can put companies at risk. My goal is to help you stay ahead of those risks by simplifying compliance and removing the guesswork.
Don’t wait until a breach or audit exposes your compliance gaps. Let’s fix them before they cost you. Babble can review your current call-handling setup, identify compliance weaknesses, and implement secure, PCI-compliant voice solutions that make phone payments safe — and effortless — for your customers and your team.