Across industries such as healthcare, utilities, financial services, and government, phone payments remain a critical part of how organizations collect revenue. Millions of customers still prefer to call a business to resolve billing issues, confirm balances, or complete transactions with assistance from a staff member.

Despite the rapid growth of digital payments, the phone channel continues to play an essential role in payment collection. However, there is a hidden operational and compliance risk embedded in many phone payment workflows. Many organizations unknowingly expand their PCI Cardholder Data Environment (CDE) when customers provide payment information verbally during a call.

Understanding and managing this risk is becoming increasingly important as organizations navigate evolving security requirements and stricter compliance expectations under PCI DSS.

A New Variable Is Entering the Picture: Voice AI

At the same time organizations are trying to modernize their customer service operations, another technology trend is rapidly gaining attention: Voice AI.

Companies and organizations, across multiple industries are now actively experimenting with conversational AI agents capable of answering questions, guiding callers through service workflows, and assisting with routine tasks over the phone. The impetus for this is compelling, as Voice AI can reduce “people”workloads, shorten wait times, and allow customers to interact with systems using natural conversation rather than navigating rigid phone menus.

Not surprisingly, some organizations are beginning to explore whether these systems can also participate in payment interactions. This topic is explored in more detail in this article on how Voice AI is beginning to enter live payment calls: Voice AI Enters Live Payment Calls

But before organizations introduce new AI technologies into phone payment environments, an important question needs to be addressed.

Have the risks in their existing live payment calls already been properly managed?

This is where many organizations encounter an unexpected challenge. In many organizations customers still provide credit card numbers verbally to staff. While this may seem like a simple and convenient process, it expands the organization’s risk profile and PCI scope in ways that are not immediately obvious.

If these workflows are already introducing cardholder data into call recordings, telephony systems, staff desktops, or speech transcription tools, adding new technologies into the call flow does not eliminate the underlying problem and in some cases, it can even increase complexity.

For example, if conversational AI systems listen to or transcribe payment conversations, they may inadvertently become part of the cardholder data environment as well. This is why the order of modernization matters.

Before layering new technologies into customer interactions, organizations should ensure that their live payment calls are structured in a way that protects sensitive payment data and minimizes PCI exposure. Once payment capture is properly isolated and secured, innovation around the interaction layer – including AI – can be introduced much more safely.

In other words, organizations should address the security architecture of phone payments before introducing new automation technologies into the call experience.

The Misconception About PCI Responsibility

A common assumption among business leaders is that payment processors handle most of the security responsibilities associated with credit card transactions.This assumption is only partially true.

Payment processors secure the transaction processing infrastructure, but organizations accepting card payments remain responsible for protecting cardholder data within their own systems,processes and people.

The Payment Card Industry Data Security Standard (PCI DSS) makes this clear. Any system that stores, processes, or transmits cardholder data falls within the PCI compliance scope and must meet security requirements. (Source: PCI Security Standards Council – Protecting Telephone-Based Payment Card Data)

This means that when a customer reads a credit card number aloud to a call staff member, the organization’s infrastructure may become part of the cardholder data environment.

Many businesses underestimate how many systems this can include.

How Phone Payments Expand PCI Scope

When payment information is collected verbally, the card data may pass through multiple layers of technology before reaching the payment processor.

These layers often include:

• Call recording systems: Many contact centers record calls for quality assurance and training. If card numbers are spoken during a recorded call, those recordings may store sensitive payment data.

• Speech transcription tools: Modern contact centers increasingly use speech-to-text systems to analyze customer conversations. These tools can inadvertently capture cardholder data in transcripts.

• Agent desktops and CRM systems: Agents may type card numbers into internal applications or temporarily store information during the payment process.

• Telephony infrastructure: Call routing systems, VoIP platforms, and session border controllers may transmit cardholder data as part of the voice stream.

Because each of these systems can potentially handle cardholder data, they may fall under PCI compliance requirements.

PCI QSA’s   frequently point out that organizations often underestimate the size of their PCI scope when payment information enters contact center environments. As a result, organizations may find themselves responsible for securing far more infrastructure than originally anticipated.

The size of an organization’s PCI scope directly affects the complexity and cost of maintaining compliance.

A large cardholder data environment requires organizations to implement extensive security controls, including:

• strict access management
• network segmentation
• encryption and monitoring systems
• vulnerability scanning
• incident response procedures
• ongoing compliance audits

Each additional system included in scope increases the operational burden.

This is why many organizations are shifting their focus from simply securing payment data to reducing the environments where that data exists at all.

The Concept of PCI Scope Reduction

PCI scope reduction, sometimes referred to as descoping, is the strategy of redesigning payment workflows so that cardholder data bypasses internal infrastructure, processes and people entirely.

Instead of collecting sensitive information directly within business systems, organizations isolate payment capture within secure payment environments.

This approach significantly reduces the number of systems subject to PCI compliance requirements.

The following technologies are among those that support this strategy:

1. Secure IVR Payment Systems: Automated IVR payment systems allow customers to enter payment information directly through a secure phone interface. In this model, cardholder data is transmitted directly to a payment processor without passing through agent desktops or internal business systems.
2. Secure Keypad Entry During Agent Calls: Another approach involves allowing customers to enter payment information using their phone keypad while the agent is on “hold”. In this model, the agent remains in the loop to reconnect with the customer, while the payment data is entered directly into a secure payment platform.

Operational Benefits of Reducing PCI Scope

While PCI scope reduction is often discussed in security terms, the operational advantages can be equally significant, including:

Lower compliance costs: When fewer systems fall within the cardholder data environment, organizations spend less time and resources maintaining security controls and preparing for audits.

Reduced breach risk: Limiting where sensitive data exists reduces the potential attack surface for cybercriminals.

Simplified infrastructure: Organizations can focus security investments on critical payment systems rather than attempting to secure large portions of their internal environment.

Improved operational efficiency: Streamlined payment workflows often reduce call handling times and improve customer satisfaction.

The Future of Phone Payment Security

Phone payments remain vital across industries such as healthcare, utilities, government services, and financial services, where customer support and complex billing are common. To support these transactions, organizations must prioritize security and compliance.

The growing focus on PCI scope reduction reflects a broader shift toward more resilient payment architectures. Rather than allowing sensitive payment data to pass through multiple internal systems, organizations are increasingly redesigning their workflows so that cardholder data is isolated within secure payment environments from the moment it is entered. This shift not only reduces compliance exposure but also prepares organizations for the next phase of customer engagement technologies.

Across industries, companies are beginning to explore introducing conversational technologies, such as Voice AI, to improve the phone experience. These technologies promise more natural interactions, faster resolution times, and greater automation within contact centers. But as organizations consider introducing Voice AI into customer interactions, the structure of their existing phone payment workflows becomes critically important.

If payment data continues to flow through business systems today, introducing additional technologies into the call experience can unintentionally increase compliance complexity and operational risk. In many cases, the real barrier to safely adopting new automation technologies is not the AI itself, but the way payment data is currently handled within live calls. For this reason, many organizations are first taking a step back to examine how payment information enters their environments today. By securing and isolating payment capture within live phone calls, organizations establish a foundation that allows new technologies to be introduced more safely and confidently.

Therefore, the central argument is that the future of phone payments depends less on adopting new technologies like Voice AI and more on building secure, compliant payment architectures to support those technologies. Organizations must examine whether their phone payment workflows truly provide the security foundation required for future innovations.

Are your live payment calls secure for tomorrow?

Book a consult with our team.