Most MOTO PCI projects are delayed by one early design decision, whether to control card data once it enters the contact centre, or prevent it from entering the environment at all. That choice determines whether the project becomes a complex telephony integration programme, or a simpler exercise in reducing scope. Most organisations choose the first path without fully accounting for what that integration involves. That is where the delays begin.
The scope problem nobody plans for
The moment a MOTO transaction is taken over the phone, a chain of systems becomes potentially relevant to your Cardholder Data Environment. The call is recorded, that recording sits in a platform, it gets backed up, QA teams review it, analytics tools process it. Each of these systems either is, or risks becoming, part of your CDE.
If card data never enters the recording and telephony environment, much of that estate stays out of scope. If it does, the project becomes a telephony integration programme with compliance layered on top. That is a very different undertaking.
Why pause-and-resume keeps failing
Pause-and-resume in isolation does not satisfy PCI DSS v4.0.1. This is a known and documented compliance gap, not an edge case interpretation.
The mechanism relies entirely on the agent triggering a recording pause before the customer reads out card digits. It must work every time, before card data is spoken, across every agent, every shift, every system. In a live contact centre environment, that is as much a delivery risk as a compliance risk.
When it fails, scope expands to include every system that touches the recording, storage, backups, QA tools, speech analytics, AI processing platforms, and any integrated application with access to recording data. A single agent error does not just create a compliance incident. It restructures the scope of the entire programme.
What better design looks like
The alternative is to reduce scope first. If card data never reaches the recording environment, the compliance question shifts from proving every recording was controlled, to demonstrating that card data never got there at all. The second is easier to test, easier to sustain, and far less dependent on the telephony complexity that causes most of the delay.
The organisations that move fastest redesign the payment flow so fewer systems fall into scope. That is a harder conversation to have at the start of a project. It is considerably easier than explaining to a QSA why your CDE has expanded to include systems you did not plan for.
About SecurePII
SecurePII is a cloud-native compliance platform that makes payments and personal data collection over the phone secure and compliant. Its patented selective redaction technology removes sensitive audio before it reaches business systems, reducing compliance risk and fraud. SecurePII partners with telcos, UCaaS and CCaaS platforms, and managed service providers to deliver secure voice compliance at scale.
Media Enquiries
Jacqueline Thals jacqui.thals@securepii.cloud
🔗 https://www.linkedin.com/company/securepii/
🤝 https://www.securepii.cloud/contact/
🌐 https://www.securepii.cloud/
