Skip to main content
Contact Centre Technology

PCI Data Security Standard (PCI DSS) Voice Encryption


Private telephony, public cloud, "hybrid agent application" and enabling PBX encryption.

Private Telephony and Public Cloud

In a Contact Centre environment where your business handles payment transactions over the phone and voice traverses over an open or public network typically to a Cloud based Application the PCI Data Security Standard (PCI DSS) Version 2.0 March 2011″ document guides you to encrypt the voice.

Advances in Technology “Hybrid Agent Application”

Moreover, with the advances in technology from both a strategic and tactical position and to further reduce fraud rates and protect both your customers and the merchant, your business should be looking to automate the collection of card payments using an Automated IVR to mimic the role played by a Customer Service Agent in terms of collecting payment. SABIO use our “Hybrid Agent Application” to deliver this capability.

Enabling PBX Encryption

Turning on encryption and securing voice on your Enterprise PBX should be relatively straightforward, but be mindful of other applications that acquire Voice from the PBX such as Call Recording or Third Party IVR applications as they may no longer work as a result of encrypting the voice.

On the AVAYA fabric the SRTP is typically enabled via 1-srtp-aescm128-hmac80 encryption cipher which adds roughly 10 additional bytes per packet which equates to a nominal 4Kbps of payload per voice packet. On the AVAYA platform the latest technology means there is no impact to DSP capacity.

Call Centres will need to ensure that transmission of cardholder data across public networks is encrypted.

This is part of PCI DSS Requirement 4 and includes:

  • Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:
  • Both wired and wireless networks used by at-home/remote agents and supervisors. For example, via a Virtual Private Network (VPN) with SSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks
  • Any public network segments used to carry or send screen or voice recordings
  • Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used
  • Requiring agents to use analog telephone lines when a VoIP telephone system does not provide strong cryptography
  • Ensuring that payment card information is never sent over an unencrypted, end-user messaging medium such as chat, SMS (Simple Messaging System)/text or e-mail, or other non-encrypted communication channels
  • As a best practice, ensuring that stored recordings are not played back over a speakerphone if payment card information is included


Related resources

View all resources

Ready to chat?

Contact us to find out how Sabio can transform your customer experience.

Call us: +44(0)344 412 3000 Email: [email protected]
Can I help?