Newsletters

Customer Support:   (972) 395-3225

Home

Articles, News, Announcements - click Main News Page
Previous Story       Next Story
    
Why Post-Call AI Redaction Is Not PCI Compliant - And What Actually Is

by Finn Rafter-Phillips, Global Channel Manager, IPI - July 31, 2025

Why Post-Call AI Redaction Is Not PCI Compliant - And What Actually Is

Finn Rafter-Phillips, Global Channel Manager, IPI

AI-powered tools are transforming the way contact centers operate, streamlining workflows, enhancing customer experiences, and enabling smarter decision-making. But as with any technological innovation, especially those handling sensitive information, there’s a critical need to ensure compliance with established data protection standards.

One area where AI is gaining traction is in post-call redaction. These tools promise to automatically remove sensitive cardholder data, such as credit card numbers and CVVs, from call recordings after the conversation has taken place. On paper, it seems like a smart solution: let the AI listen to the call and redact anything sensitive after the fact.

But here’s the catch: post-call redaction, no matter how advanced the underlying technology, it is not PCI DSS compliant. For contact centers handling payment data, that’s a serious issue with legal, financial, and reputational consequences.

Let’s examine why post-call redaction falls short of PCI compliance and outline the methods that truly meet the gold standard of compliance when it comes to the contact center – keeping both customer data and organizations safe.

What Is Post-Call AI Redaction?

Post-call AI redaction refers to the use of artificial intelligence to analyze recorded calls and automatically detect and remove Payment Card Industry (PCI) data. These tools typically work by scanning the audio file for patterns that resemble card numbers, CVVs, or expiration dates, and then either muting or masking the information in the recording.

The process is automated, minimizes human involvement, and requires little change to how agents handle calls. For busy contact centers, the convenience of post-call redaction can look like a win-win.

However, convenience does not equate to compliance – and in this case, it can create a false sense of security. Indeed, while it may seem efficient, post-call AI redaction is fundamentally flawed from a compliance standpoint.

Why Post-Call Redaction Fails PCI Compliance

While post-call redaction may seem like a clever workaround, it directly contradicts the requirements laid out in the PCI DSS (Payment Card Industry Data Security Standard). Here’s why:

1. The Data Has Already Been Captured

The most fundamental issue is timing. PCI DSS is clear on one key point: sensitive authentication data (such as full card numbers and CVV codes) must never be stored after authorization. If a contact center records a call where card data is spoken aloud, that data exists in the system. The moment that data is captured, the organization is in breach of PCI DSS requirements.

Redacting the data after the fact doesn’t undo the fact that it was stored, however briefly. From a compliance perspective, the damage is already done.

2. AI Isn’t Perfect

No AI tool, regardless of how sophisticated, is 100 percent accurate. In a compliance context, even one missed instance of unredacted cardholder data can result in a violation. That’s a significant risk – not only in terms of regulatory penalties, but also potential data breaches and customer trust.

3. Reactive, Not Preventative

PCI DSS emphasizes a proactive approach to data security. The goal isn’t to fix mistakes after they happen; it’s to design systems that prevent sensitive data from being captured in the first place.

Post-call redaction is reactive by nature. It waits for the data to be recorded and then tries to remove it. That approach fundamentally misunderstands the spirit of PCI compliance, which is about avoiding risk at the source.

What Methods Are PCI Compliant?

If post-call redaction isn’t the answer, what is? Fortunately, there are well-established and widely accepted methods that allow contact centers to handle payments over the phone without ever capturing sensitive data, thereby keeping operations fully aligned with PCI DSS.

Here are two of the most reliable and compliant solutions:

1. Pause and Resume Recording

This approach involves pausing the call recording while the customer provides payment information and resuming once the transaction is complete.

When a customer is ready to provide their card details, the recording system either pauses manually (with agent input) or automatically (via screen triggers, APIs, or detection of specific cues like DTMF tones). Once the data entry is complete, the recording resumes.

One of the key advantages of pause-and-resume is its simplicity. It’s straightforward to implement and can be integrated into existing telephony setups without major infrastructure changes. For many contact centers, it also presents a cost-effective path to PCI compliance, particularly if automation tools are already in place.

However, this method is not without its risks. If the pause-and-resume process relies on manual intervention, there’s always the potential for human error. Indeed, agents may forget to pause the recording, or resume too early. Automated pause and resume technology however combats this risk by automatically pausing the recording when card information is entered and resuming once the payment is complete, therefore ensuring that sensitive data is not captured in the recording.

Despite these drawbacks, pause-and-resume recording remains a popular and effective method, especially when properly integrated into agent workflows and supported by training and technology safeguards.

2. Secure Payment Gateways with DTMF Suppression

This is widely regarded as the most secure and fully PCI-compliant method for capturing payment details over the phone.

When it’s time to collect payment, the customer enters their card details using their phone keypad. The Dual-Tone Multi-Frequency (DTMF) tones – which normally indicate what keys were pressed – are masked so that they cannot be heard by the agent or recorded by the system.

Agents typically see only placeholder characters (e.g. asterisks) and have no access to the actual data. The information is sent directly to the secure payment processor without ever passing through the contact center’s environment.

The greatest advantage of this method is its security. Because the sensitive data is never seen, heard, or stored by the contact center, the risk of data exposure is effectively eliminated. This approach is fully aligned with PCI DSS requirements and also helps to boost customer confidence, as they know their payment information is being handled in the safest possible way.

The main drawback is that this method requires integration with a secure third-party payment platform. Depending on the provider and the technical complexity involved, this could mean additional licensing costs or time spent on implementation and testing. Nonetheless, for organizations prioritizing airtight compliance, these challenges are often well worth the investment.

While implementation may be more complex, DTMF suppression provides the highest level of assurance when it comes to both compliance and security.

Don’t Hit Record on Risk

Post-call AI redaction may appear to offer a streamlined solution to data privacy, but it falls short of PCI compliance in several critical ways. Once sensitive data has been captured – even for an instant – the organization is exposed to significant risk.

True PCI compliance means preventing data capture in the first place. If your organization handles payment data, the only safe and compliant approach is to prevent that data from being captured at all. Whether through automated pause-and-resume or secure payment gateways, proactive protection is the only path to true PCI DSS compliance.

Also, view the August 2025 Newsletter Here!

 

 

 
Return to main news page