By Barnard Crespi
I recently had a revealing—and frankly concerning—experience while trying to update my credit card information with Home Security service provided by a telecom.
I received a message instructing me to call in to update my payment method. Unlike other services provided by the telecom, the Home Security doesn’t allow online credit card updates, so I picked up the phone and made the call to their business.
As expected, I was greeted with the standard message: “Your call will be recorded for quality assurance purposes.” After verifying my account, the agent immediately asked me to provide my credit card number.
I stopped.
– “Can you pause the recording while I give you my card details?” I asked.
– “No, we record all calls,” the agent replied.
– “You’re recording calls even when customers are giving you full card information?”
– “Yes.”
– “You do understand that violates every payment security best practice, PCI compliance, right?”
– “We still record them. You can pay via the bank if you prefer.”
And that was that.
Why This Matters
PCI DSS explicitly prohibits the storage—or recording—of sensitive authentication data, including the full primary account number (PAN), expiration date, and CVV. Recording phone calls where credit card information is spoken aloud, without masking or redaction, is a direct breach of those standards and its a very bad payment security practice!
This isn’t about technicalities. It’s about protecting customers from data breaches, fraud, and the mishandling of sensitive financial information.
A Systematic Problem in Customer Service
What struck me even more than the compliance issue was how normal this seemed to the agent. There was no disclosure of the risk. No alternative provided, other than switching to bank payment. No secure automated option. Just a live person asking for card data over a recorded line.
This isn’t just this beig telecoms issue—it’s a widespread flaw in how many companies still handle phone-based payments. In 2025, with widely available tools like secure IVR Payment systems, encryption, and tokenized payment platforms, there is no excuse for this kind of outdated and risky practice.
What Businesses Must Do
For companies that accept payments over the phone, especially those handling recurring subscriptions or essential services, it’s time to modernize:
- Implement secure payment methods (like PCI-compliant IVR Payment systems or online payment options)
- STOP recording calls where card data is collected, or ensure sensitive data is redacted
- Train staff to understand basic payment security best practices and PCI compliance and how to talk to customers about it
- Disclose payment risks transparently and give customers secure alternatives
The Bigger Picture
As someone who helps organizations reduce their exposure to credit card data risks, I see this kind of thing far too often. But it’s especially disappointing to encounter it in a major player that should know better.
Handling customer payment data securely isn’t just about compliance—it’s about trust. And in today’s world, trust is everything.
Struggling with PCI Compliance?
Where to Start with PCI Compliance? Identify Your PCI Scope! The first step you need to take before beginning your PCI compliance journey is determining your PCI Scope. Get started with your complimentary PCI Scope Wizard today! Click below to book a free session with an expert who will guide you through the process. This 15–30-minute session is designed to save you countless hours of frustration—sit back and let us handle the details!
We’re Here to Help
Call 1 800 831 6660 or
What our clients are saying about us
“Never any issues with you guys! Things just work.”
“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”
“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”
“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”
“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”
“Great team to work with. I look forward to utilizing some additional capabilities in the future.”
“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”
“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”
“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”
