PCI compliance checklist: 12 steps to consider

DISCLAIMER: This checklist provides general guidance only; consult your legal counsel and a Qualified Security Assessor (QSA) for advice specific to your organization.

With 1.35 billion people affected by data compromises in 2024 and card-not-present representing over 70% of credit card fraud, securing payment data isn't optional, it's survival.

As of March 31, 2025, PCI DSS 4.0's future-dated requirements are mandatory, and non-compliance fines can reach $5,000 to $100,000 per month.

For contact centers processing voice payments, the challenge multiplies. Every agent conversation, IVR interaction, and AI assistant handling card data expands your compliance scope. The good news? With the right approach, you can minimize PCI scope while modernizing operations.

Understanding your PCI compliance level

Your transaction volume determines your merchant level and compliance requirements. Level 1 merchants (processing over 6 million transactions annually) face the strictest requirements, including quarterly network scans and annual on-site audits. Smaller merchants complete Self-Assessment Questionnaires (SAQs) instead of full audits.

Contact centers commonly fall under SAQ C-VT for virtual terminals or SAQ D for merchants with direct cardholder data storage. Choosing the wrong SAQ wastes resources and creates compliance gaps that auditors will catch.

The 12-step PCI compliance checklist

PCI DSS 4.0 organizes requirements into 12 core areas. Here's your prioritized checklist for meeting each requirement:

1. Define and document your cardholder data environment (CDE)

Map every system that processes, stores, or transmits payment card data. Include voice recordings, chat transcripts, and AI agent interactions. Without accurate scoping, you'll either over-invest in unnecessary controls or miss critical vulnerabilities.

2. Choose and complete the right SAQ

Select your SAQ based on actual payment channels and data flows. Contact centers typically need:

• SAQ A: Fully outsourced payment processing with no electronic cardholder data
• SAQ C-VT: Virtual terminals with manual entry, no electronic storage
• SAQ D: Electronic storage of cardholder data or custom payment processing

3. Implement network segmentation

Isolate payment processing systems from general corporate networks. Use VLANs, firewalls, and access controls to create clear boundaries. Proper segmentation significantly reduces the number of systems subject to PCI DSS requirements, lowering both audit complexity and compliance costs.

4. Enforce encryption everywhere

Apply these encryption standards across your infrastructure:

5. Deploy DTMF masking and pause/resume recording

When customers enter card numbers via phone keypad, DTMF tones create compliance risk. Implement tone suppression at the network level, not just in recordings. Add pause/resume controls so agents can stop recording during payment capture.

6. Configure access controls and authentication

Enforce multi-factor authentication (MFA) for all CDE access. Implement role-based permissions with quarterly reviews. Terminate access immediately when employees leave or change roles.

7. Log everything, monitor continuously

Capture authentication attempts, configuration changes, and data access. Organizations with automated security save $1.9 million in breach costs compared to manual processes. Set up real-time alerts for suspicious patterns.

8. Run vulnerability scans quarterly

Use an Approved Scanning Vendor (ASV) for external scans. Apply critical and high-risk security patches within 30 days of release, and address other vulnerabilities based on your documented risk ranking policy. With the average time to identify and contain a breach at 258 days, proactive scanning catches issues before criminals do.

9. Test incident response procedures

Document breach response workflows including notification timelines, forensics processes, and communication templates. Run tabletop exercises quarterly. The average breach in financial services costs $6.08 million. Preparation reduces both likelihood and impact.

10. Maintain secure development practices

Review code for security vulnerabilities before production deployment. Use static and dynamic application security testing (SAST/DAST). Train developers on secure coding standards specific to payment processing.

11. Document policies and procedures

Create written standards for password complexity, data retention, vendor management, and change control. Update documentation within 30 days of any process change. Missing documentation fails audits even with perfect technical controls.

12. Complete attestation and reporting

Submit your completed SAQ, vulnerability scan results, and Attestation of Compliance (AOC) to your acquiring bank. Level 1 merchants also need a Report on Compliance (ROC) from a Qualified Security Assessor (QSA).

Reducing PCI scope in the contact center

Voice payments present unique compliance challenges. Every conversation potentially captures sensitive card data through speech recognition or DTMF tones. These strategies minimize your exposure:

• Segregate payment capture: Route payment calls to specialized IVR systems or AI agents that handle tokenization before data reaches human agents. This removes agents from PCI scope entirely.
• Implement network-level controls: Deploy media anchoring and transcription redaction at the carrier level, not just in your contact center software. This prevents data from entering your environment.
• Use secure payment links: Send customers tokenized payment forms via SMS or email instead of capturing card data over voice. This shifts compliance burden to your payment processor while improving customer experience.

How Telnyx simplifies PCI compliance

Building PCI-compliant voice infrastructure requires coordinating multiple vendors—carriers for PSTN access, platforms for call control, providers for speech services, and tools for recording management. Each integration point creates potential vulnerabilities and compliance gaps.

Telnyx consolidates this complexity through full-stack control. Our carrier-grade private IP network provides encryption for voice signaling (TLS 1.3) and media (SRTP), with security controls designed for regulated industries. Key capabilities include:

• API-driven recording controls: Pause/resume recording via API during payment capture keeps card data out of recordings and reduces PCI scope
• Granular call control: Programmatic control over transcription, recording, and media routing reduces data retention scope
• Regional infrastructure: Colocated GPUs and telecom PoPs ensure data locality for sovereignty requirements
• Unified platform: Single vendor for numbers, SIP trunking, and AI agents eliminates security gaps between providers

For teams modernizing with AI assistants, Telnyx enables segregated payment flows where voice AI agents handle initial authentication and payment capture, then transfer sanitized calls to human agents. This pattern maintains TCPA compliance while reducing PCI scope.

Meeting PCI DSS 4.0 deadlines

With all requirements now mandatory, organizations face immediate compliance pressure. Recent breaches underscore the urgency, from Honda's e-commerce platform vulnerability exposing 21,000+ customer orders to Luxottica's 2021 breach leaking 70 million customer records.

Start with accurate scoping to avoid over-engineering. Map your actual cardholder data flows, then implement controls based on real risk rather than assumptions. For contact centers, focus first on removing agents from scope through IVR segregation and DTMF masking.

Next steps for PCI compliance

Achieving PCI compliance requires both technical controls and operational discipline. Begin with these immediate actions:

1. Complete a gap assessment against PCI DSS 4.0 requirements
2. Document your cardholder data flow across all channels
3. Implement network segmentation to isolate payment systems
4. Deploy DTMF masking and recording controls for voice channels
5. Schedule quarterly vulnerability scans with an ASV

For organizations handling voice payments, consider how AI agents can reduce scope while improving customer experience. Modern platforms that combine communications infrastructure with AI enable compliant automation patterns previously requiring complex multi-vendor deployments.

Remember that compliance is ongoing, not one-time. Regular testing, documentation updates, and control monitoring prevent the drift that leads to breaches. With proper preparation and the right infrastructure partner, you can meet PCI requirements while actually improving operational efficiency.

Learn more about building compliant communications systems or explore how SMS payment reminders can shift transactions away from high-risk voice channels.

Ready to minimize PCI compliance risk while modernizing your contact center? Telnyx's unified platform combines carrier-grade infrastructure with AI capabilities: secure payment flows that keep sensitive data away from agents and recordings.

Talk to our team about building PCI-compliant voice payment solutions, or explore our Voice AI platform to see how AI agents can handle payment capture while reducing PCI scope.

DISCLAIMER: This checklist provides general guidance only and is not intended as, nor should it be construed as, legal, financial, or professional compliance advice. Telnyx disclaims all liability arising from reliance on this content. Consult your legal counsel and a Qualified Security Assessor (QSA) for advice specific to your organization.