Skip to main content

Aiphoria Transact

Getting started

Welcome to the Aiphoria Transact documentation! The Aiphoria PCI DSS Level 1 solution (Transact) gets your organization to a SAQ-A. This guide will help you get started with everything you need to know around using and integrating with the PCI Transact product.

Introduction to PCI DSS Compliance

When businesses take card payments over the phone—whether through live agents, an IVR system, Pay by Link, or a hybrid approach—they must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of strict security requirements designed to protect cardholder data and reduce the risk of fraud.

If your business handles, stores, or processes cardholder data, then you’re in PCI scope—which means additional security requirements, costly audits, and compliance headaches. But what if you could take card payments over the phone without ever handling sensitive data? That’s where DTMF suppression and Pay by Link solutions like Aiphoria Transact come in.

We can do all of this without getting in the way of your complicated payment workflows, integrations and current PSP(s).

The Problem: PCI Compliance and Telephone Payments

Whenever a customer reads out their card number (PAN), expiration date, or CVV code to an agent, that data is immediately exposed to:

  • Live agents (who might overhear or mishandle it)
  • Call recordings (which could capture sensitive information)
  • Screen recordings (if agents are typing the details manually)
  • Telephony networks (where data could be intercepted)
  • Back-end systems (where data might be stored unintentionally)

Even businesses that only occasionally take payments over the phone must comply with PCI DSS rules if they are handling card data in any form. This means additional security controls, audits, and risk assessments—unless you remove cardholder data from your environment entirely.

Can I Just Do This Myself?

Absolutely....

If your business processes, stores, or transmits cardholder data directly, and don't want to use a service like Aiphoria Transact you can implement all 300+ PCI DSS security controls across the business and complete the full audit with a QSA each year. Some highlights:

  • Encrypting cardholder data at rest and in transit
  • Restricting access to payment data including users ability to copy that data (e.g. paper and pens, mobile phones, etc.)
  • Regular security audits & penetration testing
  • Installing firewalls, intrusion detection systems, and strict access controls
  • Maintaining a secure network and vulnerability management program
  • Completing a full PCI DSS assessment & audit annually with a QSA

In short, handling cardholder data yourself is expensive, complex, and risky—which is why many businesses choose to outsource the burden to a compliant provider like Aiphoria Transact.

The Solution: Remove the data in the first place.

The Aiphoria Transact service removes all sensitive data from your agents workflows while continuing to alow the agents to effectively communicate with customers and process business critical workflows (payments) in the same way they do today.

But how?

📞 DTMF Suppression: When the customer enters their card details using their keypad, the system automatically suppresses DTMF tones so that neither agents nor call recordings capture them.
🎙️ Speech Recognition: If a customer is unable (E.g. The disability act or simply a smashed phone screen) to or unwilling to enter their card information via keypad the agent can swap to voice capture, This has the same PCI compliance and scope level but ensures everyone is able to make a payment.
📱 Pay by Link: Instead of entering card details via keypad, the customer receives a secure link via SMS or Webchat, allowing them to complete the payment on their own device. This enables one-touch payments using stored cards in the browser.
🏦 Pay by Bank: Pay by Bank works side by side with our Pay by Link service. It lets customers pay directly from there bank with no card needed. Coming soon 2025

Highlights

No Card Data, No PCI Scope: Since no cardholder data enters your contact center, office, or telephony system, your business stays out of PCI DSS scope.
Flexible Payment Methods: Works for live agent-assisted payments, IVR-based payments, Pay by Link, and hybrid approaches.
Secure & Seamless: Customers complete payments securely while your business avoids the risks and costs of handling sensitive data.
Agent-Guided Transactions: Agents receive real-time feedback (stars) for each digit a customer enters (via DTMF or Pay by Link) and can assist throughout the process while maintaining audio or Webchat communication.
Multiple PSPs Keep your current PSP with all your current tokens and workflows, migrate to a new one.... the option is yours.
Keep your workflows and integrations At its simplest, the Transact solution lets you keep all your existing workflows the same, just swap out the payment page and we will do the rest. Or maybe you want to take this opportunity to rework that payment flow, remove the old and embrace the new. Aiphoria can help you migrate or not.... its up to you.

What Does This Mean for Your Business?

By using a PCI DSS 4.0-compliant Level 1 service provider like Aiphoria Transact, your business benefits in multiple ways:

🚀 Drastically reduces PCI scope – No card data means fewer compliance headaches.
🔒 Protects your employees & customers – Agents never hear or see card numbers.
📞 Keeps call & screen recordings compliant – No need for costly redactions.
🛡️ Reduces fraud risk – Since card data is never in your environment, there’s nothing to steal.
💰 Saves time & money – No need for expensive security controls, audits, or infrastructure changes.

What You Still Need to Do

Thats the beauty, not very much! The first two are done by Aiphoria for you:

Vendor Due Diligence – You must verify that your payment service provider is PCI DSS compliant by obtaining their Attestation of Compliance (AoC) or Report on Compliance (RoC). Aiphoria Transact holds an AoC to PCI DSS 4.0 level.
Defining Your Own PCI Scope – If no card data enters any of your other systems then by using Transact you should only need to complete a simplified Self-Assessment Questionnaire (SAQ-A or SAQ-D).

The final three should already be covered by other processes. If not, Aiphoria can help you with templated documents:

Staff Training & Policies – Your employees should be trained to never ask for card details verbally or store them in any format.
Incident Response Planning – Your supplier management should have a plan to cover if any of your suppliers experiences a breach of data, you need to have a response plan in place for this.
Compliance Documentation – Documented proof that you use a PCI-compliant provider and no data card holder data is in your environment. This is normally covered by a Data flow diagram or a design document for your payment workflows.

The Bottom Line: PCI Compliance Without the Stress

By removing cardholder data from your environment entirely, Aiphoria Transact ensures that your business stays out of PCI scope, reducing security risks and simplifying compliance. Whether you take a few payments over the phone via web chat or run a large-scale operation, you can focus on providing great service without worrying about audits, data breaches, or compliance headaches. 🎩✨

Got questions? Don’t worry, we’ve got you covered! Our team are experts in PCI scope and would be happy to dive into how we can make your workflow changes work for you.

The rest of this document talks you over how to use the system, options for configurations and integration.