PCI DSS Version 4.0: What Changed and What Your Business Needs to Do
PCI DSS version 4.0 became the only active standard after the retirement of PCI DSS v3.2.1 in March 2024, with several new “best practice” requirements becoming mandatory in 2025. For businesses that accept credit card payments over the phone, the stakes are higher than ever — and the requirements have evolved in ways that many businesses are still catching up with.
What PCI DSS v4.0 Changed
PCI DSS v4.0 introduced several significant updates across its twelve core requirement areas. The most impactful changes for most businesses include increased emphasis on continuous monitoring rather than point-in-time compliance assessments, new requirements around multi-factor authentication (MFA) that now apply to all accounts with access to cardholder data environments rather than just remote access, expanded logging and monitoring requirements with more specific retention and review mandates, and a customized implementation approach that allows organizations to demonstrate how alternative controls achieve the security intent of each requirement — providing more flexibility for businesses with unique technical environments.
Telephone Order Payment Environments Under v4.0
Businesses that take credit card payments over the phone face specific PCI DSS requirements around call recording — specifically, that call recordings containing cardholder data (card numbers, security codes, PINs) must not be stored. PCI DSS prohibits the storage of full card numbers post-authorization, card verification codes, and PIN blocks under any circumstances. If your phone system records calls and agents take card payments verbally during those calls, you are almost certainly out of compliance unless you have implemented a specific solution to address this.
The Pause-on-Payment Solution
The most common and effective solution for businesses that both record calls and take phone payments is a “pause-on-payment” system that automatically suspends call recording when the customer begins entering payment information — then resumes recording after the payment is complete. The card details are never captured in the recording. Vivant’s PCI compliance service implements this capability as part of an integrated phone payment solution that routes card payments through a PCI-compliant gateway while your call recording system is paused.
What Businesses Need to Do Now
Complete a current PCI DSS Self-Assessment Questionnaire (SAQ) appropriate for your payment processing model, identify all systems that process, store, or transmit cardholder data including phone systems, audit your call recording practices to confirm no cardholder data is captured in recordings, implement pause-on-payment if you have not already, and ensure all accounts with access to cardholder data environments use multi-factor authentication.
Vivant’s PCI Compliance Solution
Vivant’s integrated PCI compliance service addresses phone payment security comprehensively — pause-on-payment call recording, PCI-compliant payment gateway routing, and system documentation to support your compliance assessment. Contact Vivant to assess your current phone payment environment and implement the right solution before your next PCI audit.
