Phone:+61 3 9492 2871
Email:directory@acxpa.com.au
Login
  1. Home
  2. Technology
  3. Call Centre Technology
  4. PCI DSS
Recently Updated
Call Centre Technology PCI DSS

PCI DSS for Call Centres in Australia

If your contact centre accepts payment card transactions over the phone, PCI DSS compliance is not optional — it's a contractual and regulatory obligation. The right technology makes achieving and maintaining that compliance significantly simpler, less costly, and more robust than manual processes alone.

This page lists Australian suppliers of PCI DSS technology for call centres. For suppliers focused on the broader payment processing capability, also see the call centre payment solutions page.

Overview

What is PCI DSS and Why Does it Apply to Call Centres?

PCI DSS — the Payment Card Industry Data Security Standard — is a set of security requirements developed by the PCI Security Standards Council that applies to any organisation that stores, processes, or transmits payment cardholder data. It was established by the major card schemes (Visa, Mastercard, Amex, Discover) to reduce payment card fraud and data breaches globally.

Call centres are squarely in scope for PCI DSS whenever a customer provides their payment card details over the phone. The moment a card number is spoken to an agent, entered via DTMF, or processed through any call centre system, PCI DSS applies — and the scope of what must be protected extends to the systems, networks, and processes that touch that cardholder data.

The challenge for most call centres is that their existing infrastructure — call recording, screen capture, agent desktops, network infrastructure — was not originally designed with PCI DSS in mind. PCI DSS technology for call centres addresses these gaps systematically, reducing the risk of a breach and the scope of the compliance audit.

Non-compliance carries serious consequences

Non-compliance with PCI DSS can result in significant fines from card schemes, increased transaction processing fees, mandatory forensic audits following a breach, reputational damage, and in the most serious cases, loss of the ability to accept card payments entirely. Compliance is an ongoing obligation — not a one-time certification.

Call centre scope

How PCI DSS Applies Specifically to Call Centres

The specific PCI DSS challenges in a call centre environment are well-understood — and there are established technology approaches to address each of them:

Call Recording

If call recordings capture a customer speaking their card number, those recordings contain cardholder data and are in PCI DSS scope. Automatic redaction or pause-and-resume recording must be implemented — and manual pause-and-resume alone is insufficient if agents can forget or choose not to pause.

Screen Capture

If screen recording is active when card data appears on the agent's screen — whether typed in by the agent or populated from a payment system — those recordings are in scope. Screen redaction technology masks card data on screen and in recordings automatically.

DTMF Tone Collection

When customers enter card details via keypad, audible DTMF tones can allow an agent to infer the card number. DTMF masking replaces audible tones with flat tones — the customer's input is captured by the payment system without the agent or the recording capturing the actual digits.

Agent Desktop

If full card numbers are displayed on the agent's screen, the agent desktop environment is in scope for PCI DSS. Tokenisation and masking ensure agents only see truncated card data — the last four digits — while the full number is processed by a compliant payment system outside the agent environment.

Network Infrastructure

Any network segment that cardholder data passes through is in PCI DSS scope — including voice networks, data networks, and any integration between call centre systems and payment processing systems. Network segmentation reduces scope significantly.

Secure Payment Handoff

Transferring the customer to a fully isolated, PCI DSS-certified payment engine for card entry — and returning them to the agent once payment is complete — removes the entire card entry process from the call centre environment entirely. The most comprehensive scope reduction approach.

Technology approaches

PCI DSS Technology Approaches for Call Centres

PCI DSS technology suppliers for call centres typically offer one or more of the following approaches — often combined for maximum scope reduction:

  • Automatic Call Recording Redaction: Automatically detects and removes (redacts) card number sequences from call recordings in real time or post-call — ensuring recordings can be retained for quality and compliance purposes without containing cardholder data.
  • Automated Pause-and-Resume: Automatically pauses call recording when the payment phase of the call is detected — removing the reliance on agents manually pressing pause and eliminating the human error risk that makes manual pause-and-resume insufficient for PCI DSS compliance.
  • DTMF Tone Suppression & Masking: Replaces audible DTMF tones during card entry with flat tones — preventing agents from hearing card digits while allowing the payment system to capture them correctly.
  • Screen Data Masking: Automatically masks card numbers displayed on the agent desktop and in screen recordings — ensuring full card numbers are never visible to agents or captured in screen recordings.
  • Secure Payment Engine Integration: Routes customers to a fully certified, isolated payment environment for card entry — removing card data from the call centre environment entirely and delivering the most significant PCI DSS scope reduction.
  • Tokenisation: Replaces card numbers with non-sensitive tokens within call centre systems — enabling payment references to be stored and passed between systems without the underlying cardholder data ever entering the call centre environment.
PCI DSS v4.0 — stay current

PCI DSS version 4.0 introduced updated requirements with a phased implementation timeline. If you haven't already assessed your call centre's compliance against PCI DSS v4.0, now is the time. Specialist suppliers can conduct an assessment and identify what technology or process changes are required for full compliance.

Buying guide

What to Look for in PCI DSS Technology for Call Centres

  • Scope reduction How significantly does the solution reduce PCI DSS scope? The best solutions remove cardholder data from agent systems, call recordings, and screen recordings entirely — minimising the systems and processes subject to PCI DSS audit.
  • Automation vs manual Is the PCI DSS control automated — or does it rely on agents taking manual action (such as pressing pause)? Automated controls are required for PCI DSS compliance. Manual processes are inherently unreliable and may not satisfy auditors.
  • Platform integration How does the solution integrate with your contact centre platform, call recording system, screen capture, and payment gateway? Gaps in integration create compliance gaps — confirm end-to-end coverage.
  • PCI DSS certification Is the supplier's solution independently certified by a Qualified Security Assessor (QSA)? A certified solution provides significantly stronger compliance assurance than self-attestation.
  • Call quality impact Does the DTMF suppression or payment handoff approach affect call audio quality? Ask for real-world demonstrations — some solutions introduce noticeable audio artefacts that affect the customer experience.
  • Audit support What documentation, reporting, and audit trail support does the supplier provide? Evidence of automated controls and a clear compliance paper trail simplifies the annual PCI DSS assessment process significantly.
  • Australian expertise Does the supplier have experience with PCI DSS compliance in Australian contact centres — including familiarity with Australian acquiring banks, telecommunications infrastructure, and the specific compliance frameworks of Australian financial services, utilities, and healthcare?
Related technology

PCI DSS technology is closely related to broader call centre payment capability. If you're evaluating the full payment processing stack — not just the compliance technology — also see the call centre payment solutions page for suppliers covering the complete payment workflow.

ACXPA Resources

Resources for Contact Centre Professionals

If you've found this page while researching PCI DSS for call centres and haven't come across ACXPA before, here's what's available to you — vendor-neutral, genuinely useful, and built for contact centre professionals:

  • Resource Hub

    ACXPA Contact Centre Hub — a comprehensive library of guides, tools, and resources covering all aspects of contact centre technology, compliance, and operations. One of the most valuable free resources available to contact centre professionals anywhere in the world.

  • Roundtables

    Contact Centre Manager Roundtables — regular live sessions where contact centre leaders share real experiences on compliance, security, and technology. Hear directly from peers who've navigated PCI DSS implementation in Australian contact centres.

  • Member Bytes

    ACXPA Member Bytes — short on-demand videos covering compliance, security, and contact centre technology topics. Available to ACXPA members.

  • Free Guide

    Contact Centre Technology Guide (via CX Connect) — a vendor-agnostic guide to the full contact centre technology stack including compliance and security solutions. No email address required.

Browse PCI DSS Technology Suppliers for Call Centres Below

Or use the filters below to refine by technology subcategory or solution type