PCI DSS · Mobile call recording
PCI DSS-aligned mobile call recording
Recording calls is essential for many merchants, for dispute resolution, training, quality assurance, but if your business takes card payments by phone, you also have to be careful what ends up in the recordings. ONSIM's network-level recording gives you the pause-and-resume and access controls you need to keep card data out of your archive.
The PCI problem with mobile call recording
Traditional PBX and VoIP phone systems have well-established PCI controls, pause buttons on the agent console, automated masking integrations, encrypted storage with restricted access. Mobile recording apps usually don't. The user has to remember to stop the recording before reading back a card number, which is error-prone and shows up as a finding in PCI assessments.
Network-level recording moves the control out of the user's hands. The pause signal is triggered by an IVR keypress (or routed through a separate non-recorded payment channel), so card data never reaches the recording. There's nothing for the agent to forget.
Two supported architectures
1. Pause-and-resume
Continuous call, with recording paused for the segment where card data is read. The agent (or the customer via DTMF keypress) triggers the pause. After the payment is confirmed, recording resumes. This is the simplest setup and works well for low-volume merchants.
2. Split-channel payment
The card capture is routed to a dedicated PCI-compliant payment service (typically a separate IVR or app), while the rest of the call continues to be recorded. Higher-volume or higher-risk merchants tend to prefer this, it eliminates the possibility of human error in the pause.
Either architecture can be configured during your ONSIM onboarding. Talk to sales about which fits your transaction volume and QSA expectations.
ONSIM does not make you PCI compliant
Compliance is the merchant's responsibility and covers your entire payment workflow. ONSIM provides recording infrastructure that supports your PCI position: the controls (pause, masking, restricted access, audit log) you need to operate compliantly. Your QSA or self-assessment process validates the full picture, of which call recording is just one component.
We won't oversell what the product does. If you need help articulating where call recording sits in your PCI scope, we can introduce you to compliance partners during the sales conversation.
Talk to sales about your specific PCI setup
Tell us your transaction volume by phone, your current PCI level, and your QSA's preferences for the recording architecture. We'll quote a tailored deployment.
Frequently Asked Questions
What merchants taking phone payments most often ask.
What is PCI DSS and why does it affect call recording?
PCI DSS (Payment Card Industry Data Security Standard) governs how organisations that handle card payments must protect cardholder data. Any business that takes card details over the phone is in scope. The standard explicitly addresses recordings: storing the CVV/CVC code in a recording is prohibited, and storing full card numbers requires strong protections (encryption, access controls, defined retention). This applies whether the call was on a landline, mobile, or VoIP system.
How does ONSIM handle PCI DSS requirements on mobile?
ONSIM's network-level recording supports two approaches: (1) configure recording to pause-and-resume around card data capture (the user signals via IVR keypress or a separate channel), so card data is never recorded, or (2) keep continuous recording but route card data capture to a separate PCI-compliant payment channel that doesn't get recorded. Most customers use option 1 for simplicity. Specific configuration is scoped during sales.
Why is mobile harder than landline for PCI?
Most landline phone systems (PBX/VoIP) have built-in PCI controls, call-recording pause buttons, encrypted storage, masking integrations. Mobile recording apps usually don't. The user has to remember to stop the recording before reading back a card number, which is error-prone and produces compliance findings. ONSIM's network-level approach moves the control surface out of the user's hands, which is how you eliminate that class of error.
What about storing card numbers in recordings?
If full PANs (Primary Account Numbers) end up in your recordings, you become subject to far stricter PCI DSS storage requirements, encryption at rest, access logging, defined retention with automatic destruction, and quarterly audits. The simpler path for most businesses is to avoid recording card data at all, via pause-and-resume or a separate payment channel. ONSIM supports both architectures.
Does ONSIM make our business PCI DSS compliant?
No, and any vendor that tells you otherwise is overselling. PCI DSS compliance is the merchant's responsibility and covers your entire payment workflow, not just call recording. What ONSIM provides is recording infrastructure that doesn't actively undermine your PCI position, i.e. it gives you the controls (pause, masking, restricted access) you need to operate compliantly. Your QSA (Qualified Security Assessor) or self-assessment process validates the full picture.
How is access to PCI-relevant recordings controlled?
Role-based access via the ONSIM dashboard. Every retrieval is logged. You can scope which users (typically: finance and compliance only) can search and listen to call recordings, with separate permissions for export. The audit log is exportable for PCI assessment.
Retention period for PCI-relevant recordings?
PCI DSS itself does not mandate a specific recording retention period, but it does mandate that you have a defined policy and that recordings are destroyed when no longer needed. Most merchants align retention with their broader business needs (typically 6 months for dispute resolution, longer for high-value disputes). ONSIM retention is configurable per account.
Can we cover phone payments for a multi-user team?
Yes. Every ONSIM SIM/eSIM gets the same recording policy applied, there's no per-device configuration to drift. Adding a new user means issuing a SIM with the same recording profile; pause-and-resume controls work identically across the team.
How do we get started with PCI-aware mobile recording?
Request a quote at quote.onsim.uk or call +44 333 880 4008. Mention you take card payments by phone, we'll scope your pause-and-resume requirements, retention, and access model alongside the broader recording setup.