PCI-DSS · Level 1 · QSA-audited
PCI-DSS · Level 1 · QSA-audited PCI-DSS
compliance.
DialPhone is PCI-DSS Level 1 audited annually. Collect payments by phone through IVR or agent-assisted capture without exposing agents to card data or polluting call recordings.
Taking payments over the phone is one of the few places where a business phone system genuinely touches PCI-DSS scope. If an agent reads or hears card-number digits — or if a recording contains them — the agent's workstation, the recording archive, and the agent's call route all fall inside PCI scope, which means the audit surface explodes from "the phone vendor" to "everywhere that workstation and recording have ever been." Most teams handle this by sending callers to a separate IVR for the payment portion of the call, which keeps the agent's workstation out of PCI scope.
DialPhone supports two patterns for that separation. Pure IVR capture routes the caller to a PCI-DSS-scoped IVR flow that collects card data via DTMF tones, processes the transaction through a tokenization gateway, and returns the caller to the agent with only a transaction reference — the agent never hears or sees card digits. Agent-assisted capture with DTMF masking keeps the caller on the line with the agent but mutes the DTMF tones during card-number entry; the agent sees only masked digits in their workspace and the recording captures only masked tones. Both patterns are PCI Level 1 audited.
Procurement teams typically need the QSA Attestation of Compliance (AoC) and the Responsibility Matrix during initial review. Both are available under NDA via sales. For the broader compliance picture across SOC 2, HIPAA, and ISO 27001, see the Trust Center. For the contact-center pricing tiers that include PCI-DSS payment IVR, see the contact center pricing page.
Capabilities
What we ship
- PCI-DSS Level 1 audited annually by QSA
- Payment IVR: customer enters card via DTMF, agent never hears or sees card data
- Agent-assisted payment: pause/resume call recording automatically during card entry
- Tokenization of stored card data, raw PAN never persisted
- Integration with Stripe, Authorize.net, Adyen, Shopify Payments, and most major processors
- Network segmentation, payment processing isolated from voice infrastructure
- TLS 1.3 for all card data in transit
- Attestation of Compliance (AOC) available to customers under NDA
PCI-DSS FAQ
What PCI-DSS level is DialPhone?
Level 1, the highest compliance tier, required for organizations handling over 6 million card transactions annually. Audit conducted annually by a Qualified Security Assessor (QSA).
Can agents see credit card numbers?
No. Payment IVR uses DTMF tones captured inside a compliant PCI boundary; the audio containing card digits is automatically muted from agent headsets and never recorded. Agents hear "pay now" confirmation, not the card data.
Do you support tokenization?
Yes. Card data is tokenized on capture; only tokens are stored in DialPhone or returned to the customer's payment processor. Raw PAN data is never persisted.
Which DialPhone plans include PCI payment features?
Contact Center Professional ($95/agent/mo) and Elite ($145/agent/mo) include payment IVR and agent-assisted capture. Business Phone plans handle inbound/outbound calls but do not include payment capture features.
Can I get the Attestation of Compliance (AOC)?
Yes. Customers handling card data receive the DialPhone AOC under NDA via the admin portal or on request to [email protected].