Compliance Guide
VoIP PCI-DSS Compliance
8 min read · Updated April 2026
PCI-DSS affects any VoIP system that processes, transmits, or stores cardholder data — including contact centers that take payments over the phone. The requirements go beyond just pausing recordings. Here's what VoIP engineers need to implement.
1. What VoIP systems are in scope for PCI-DSS?
PCI-DSS scope includes any system that stores, processes, or transmits cardholder data (CHD). For VoIP, this means:
- Contact center systems where agents take card payments over the phone
- IVR systems that collect card numbers via DTMF
- Call recording platforms that record calls containing card data
- Any SIP infrastructure that carries calls where card numbers are spoken or entered
- Network segments carrying these VoIP calls
Even if your VoIP system doesn't store card data, if it transmits calls where card data is shared, it's in scope and must meet applicable PCI-DSS controls.
2. Call recording requirements
PCI-DSS Requirement 3.3 prohibits storing sensitive authentication data after authorization. For call recordings, this means: you cannot record the portion of a call where a customer reads their card number.
Required
Pause/resume recording
Recording must be paused when the customer begins reading card data and resumed after. This can be agent-triggered (agent presses pause) or automatic (IVR handles card collection and recording is paused during IVR leg). Agent-triggered is simpler but audit controls must verify agents actually pause recording.
Required
No storage of CVV in recordings
CVV/CVV2 must never be stored — not in recordings, not in databases, not in logs. Even if the call is recorded, any segment containing the CVV must be deleted. This is absolute — there is no permissible storage of CVV post-authorization.
Required
Access controls on recording platform
The call recording platform is in PCI scope. Access must be restricted to authorized personnel, protected with MFA, and access events logged. Recordings containing any inadvertently captured card data must be encrypted at rest with AES-128 minimum.
3. DTMF masking for card numbers
When customers enter card numbers via DTMF (touch-tone), the DTMF tones must be masked in two places:
In the audio recording: DTMF tones are audible audio events. The recording system must replace DTMF audio with silence or a masking tone during card entry. Some call recording platforms include DTMF masking as a feature — verify it works by testing with a real card number entry.
In SIP signaling: If using RFC 2833 DTMF transport, the DTMF digits appear as payload type 101 packets in the RTP stream and in SIP INFO messages. These must not be logged or stored in a way that exposes the card number sequence. SBC and proxy logs should not capture DTMF INFO message bodies.
; Asterisk — mask DTMF in recordings
; Use MixMonitor with DTMF masking
same => n,MixMonitor(${UNIQUEID}.wav,b,)
same => n,Set(MONITOR_EXEC=/usr/local/bin/dtmf-mask.sh)
; FreeSWITCH — pause recording during IVR card collection
<action application="record_session" data="pause"/>
; ... collect card via IVR ...
<action application="record_session" data="resume"/>
4. Network segmentation
PCI-DSS Requirement 1 requires network controls to restrict traffic to the cardholder data environment (CDE). For VoIP:
- Place IVR systems, call recording servers, and agent workstations that handle card payments on a segmented PCI VLAN
- Firewall rules must restrict traffic between the PCI VLAN and other network segments
- SIP signaling from the PCI VLAN to SIP trunks must traverse the firewall with explicit allow rules
- General office VoIP (non-payment calls) should be on a separate VLAN that does not touch the CDE
QSA (Qualified Security Assessor) auditors will review network diagrams and firewall rules. Ensure your VoIP network diagram clearly shows how CDE and non-CDE VoIP traffic are segmented.
5. Encryption requirements
PCI-DSS Requirement 4 requires encryption of cardholder data in transit over open/public networks. For VoIP:
- SIP signaling: TLS 1.2+ on all external and inter-segment SIP connections. Port 5061.
- RTP media: SRTP on all legs where card data may be spoken or entered via DTMF
- Call recordings: AES-128 or AES-256 encryption at rest
- IVR systems: HTTPS for any web service APIs used by the IVR to process payments
TLS 1.0 and 1.1 are explicitly prohibited by PCI-DSS 4.0. Audit your SBC and SIP trunk TLS configuration to ensure TLS 1.0/1.1 are disabled.
6. PCI-DSS VoIP compliance checklist
- Call recording pause/resume implemented and verified for all payment call flows
- DTMF audio masking enabled on recording platform
- SIP INFO DTMF bodies not logged or stored
- CVV never stored in recordings, databases, or logs
- TLS 1.2+ on all SIP trunks (TLS 1.0/1.1 disabled)
- SRTP on all call legs handling payment calls
- Call recording files encrypted at rest (AES-128 minimum)
- PCI VLAN for IVR, recording server, and agent workstations
- Firewall rules documented and restricting CDE traffic
- MFA for access to call recording platform
- Recording access logged with user identity
- BAA/DPA with call recording vendor and SIP trunk provider
- Annual penetration test including VoIP systems in scope
Frequently asked questions
What are the PCI-DSS requirements for call recording?
PCI-DSS prohibits storing sensitive authentication data including card numbers after authorization. Call recording must be paused when customers read card data. CVV must never be stored in any recording. The recording platform must have access controls, MFA, audit logging, and recordings encrypted at rest.
Does PCI-DSS require SRTP for VoIP?
Yes — PCI-DSS Requirement 4 requires encryption of cardholder data in transit over open networks. For VoIP calls that transmit or could transmit card data, SRTP is required for media encryption. TLS 1.2 is required for SIP signaling. TLS 1.0 and 1.1 are explicitly prohibited by PCI-DSS 4.0.
What is DTMF masking and why does PCI-DSS require it?
DTMF masking replaces the audible tones of a customer entering card numbers with silence or a masking tone in the call recording. PCI-DSS requires this because DTMF tones are audible and recognizable — without masking, a card number entered via touchtone could be reconstructed from the recording audio. Both audio masking in recordings and suppression of DTMF in SIP INFO message logs are required.
Need a PCI-DSS compliance report for your VoIP infrastructure?
SIPSymposium Teams tier generates compliance reports mapping SIP trace findings to PCI-DSS requirements including encryption verification and DTMF handling assessment.