PCI DSS

Compliance · PCI DSS

Keep card data out of your phone system. Stay in scope of nothing.

For businesses that take card payment over the phone — and want to do so without dragging their phone vendor into PCI scope.

Request a compliance briefing   or call 866-304-4300

Founded 2001

Triton Cloud PBX — pci dss
99.999%
Uptime SLA
150+
Countries DID
Since 2001
Northeast roots
3 offices
Worcester · Dublin · BVI
B2B only
No residential

What the regulation requires

  • Cardholder data must not be stored unencrypted, including in voice recordings
  • Card data captured by phone must be protected, segmented, or descoped
  • Agents handling card data require PCI training
  • Audit logs of card data access required

How Triton Cloud PBX meets each requirement

  • Pause/resume recording during card capture (manual or automated)
  • DTMF masking — keypad tones during payment do not appear in recordings
  • Routing of payment calls to PCI-certified IVR or pay-by-link partners (descoping)
  • Per-call audit log of pause/resume events
  • Configurable recording rules at the call-flow level

Attestations + documents available

  • Pause/resume recording and DTMF masking configuration documentation
  • Sub-processor list (we are not a PCI-certified service provider but we facilitate descoping)

What we will NOT claim

We are not a PCI-certified service provider. We provide tools to keep card data out of the phone system entirely — most commonly by routing payment calls to a PCI-certified IVR partner, or by using pay-by-link sent via SMS during the call. Your QSA makes the final determination on your overall PCI posture.

Frequently asked

Questions we get asked the most

Are you PCI DSS compliant?

We are not a PCI-certified service provider. We provide tools (pause/resume recording, DTMF masking) and integration patterns (route to PCI-certified IVR) that help our customers stay descoped.

Can we take card payments through your IVR directly?

No. We integrate with PCI-certified IVR partners; the cardholder enters their PAN into the partner system, not ours. The partner returns a token or completion code.

Does pause/resume recording really keep us out of scope?

Not by itself. It helps, but the QSA may still consider the phone system in scope if card data has any path through it. Routing to a PCI partner is the cleanest descoping.

Do you mask DTMF in recordings?

Yes. When DTMF masking is enabled, keypad tones during recording are replaced with a uniform tone — preventing card-number reconstruction from the audio.

Who is liable if card data leaks through the phone system?

Liability depends on your specific contracts and QSA findings. We are clear in our service terms that we are not a PCI service provider; we provide the tools to reduce or eliminate scope.

Need this in writing for your audit?

Tell us your auditor's requirements. We will provide documentation under NDA.

Request a compliance briefing

or call 866-304-4300