PCI DSS SAQ D: how we protect payment card data

If your AI agent needs to take credit card payments over the phone — or if a customer is likely to read out a card number during a call for any reason — you need to make sure that card data is handled according to the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS compliance is not optional. It's required by every major card brand (Visa, Mastercard, American Express, Discover, JCB) for any organization that stores, processes, or transmits cardholder data. Failure to comply can lead to fines from your acquiring bank, termination of your merchant account, and — if a breach occurs — class-action lawsuits and brand-assessed penalties that can run into the millions.

Most SMB voice AI platforms avoid this problem by simply not letting you take payments through the AI at all. We took a different approach.

What PCI DSS actually is

PCI DSS is a set of 12 core requirements and hundreds of sub-requirements developed by the PCI Security Standards Council, a body formed jointly by the major card brands. It covers everything from network segmentation to password complexity to how long you're allowed to retain a card number.

The 12 top-level requirements cover:

• Installing and maintaining firewalls

• Using secure system configurations (no default passwords, etc.)

• Protecting stored cardholder data with encryption

• Encrypting cardholder data in transmission across public networks

• Protecting against malware

• Developing and maintaining secure systems and applications

• Restricting access to cardholder data on a need-to-know basis

• Identifying and authenticating access to system components

• Restricting physical access to cardholder data

• Logging and monitoring all access to network resources and cardholder data

• Regularly testing security systems and processes

• Maintaining an information security policy

The SAQ levels — and why SAQ D matters

Merchants and service providers demonstrate PCI compliance by completing a Self-Assessment Questionnaire (SAQ) — or, for the largest volumes, a full on-site audit by a Qualified Security Assessor.

There are several SAQ types, each tailored to a different way of handling card data:

• SAQ A — for merchants who completely outsource card data handling to a compliant third party

• SAQ A-EP — for e-commerce merchants using a partially outsourced payment page

• SAQ B / B-IP — for merchants using standalone payment terminals

• SAQ C / C-VT — for merchants using isolated payment systems or virtual terminals

• SAQ P2PE — for merchants using validated point-to-point encryption solutions

• SAQ D — for all merchants and service providers not eligible for any of the simpler SAQs

SAQ D is the big one. It's the most comprehensive self-assessment, covering all 12 PCI DSS requirements in full, with more than 300 individual controls to evidence. It's the level required of any service provider that electronically stores, processes, or transmits cardholder data on behalf of its customers.

We are a PCI DSS SAQ D service provider. We chose this level because it's the only level that accurately reflects what a voice AI platform actually does — and because it gives our customers the ability to pass their own PCI audits by relying on our compliance.

How we handle card data during an AI voice call

• DTMF masking — when a caller types a card number on their keypad, the tones are intercepted and masked before they reach our transcription engine or any long-term storage, so the digits never appear in a recording or transcript

• Spoken-digit redaction — when a caller speaks a card number aloud, our real-time redaction layer identifies the card-number pattern and replaces it with a placeholder token in the transcript and any downstream systems

• Tokenization — we tokenize card data at the earliest possible point in the call path, and the tokens are the only values that persist beyond the call

• Network segmentation — the systems that touch cardholder data are isolated on a dedicated, audited network segment with restricted access

• Key management — encryption keys are managed by a FIPS 140-2 certified key management service with quarterly key rotation

• Logging — all access to cardholder data systems is logged to a write-once log store with a minimum 12-month retention

What this means for you as a merchant

Because we're a PCI DSS SAQ D service provider, you can use your AI voice agent to take payments while substantially reducing your own PCI scope.

• You can use SAQ A or SAQ A-EP instead of SAQ D for the calls that go through our platform, dramatically simplifying your own compliance

• You get access to our Attestation of Compliance (AoC), which you submit with your own PCI self-assessment to demonstrate that the service provider portion of your compliance is handled

• You avoid the extraordinary risk of taking plain-text card data over a phone line that you're recording for business purposes

• You can offer phone-based payment collection to your customers in a way that genuinely works — rather than the common workaround of "please go to our website and pay there"

What you still have to do

• Sign a service provider agreement that includes PCI-specific terms — we provide this during onboarding

• Complete your own SAQ (usually SAQ A or SAQ A-EP) annually

• Enable the PCI mode on your AI agent's configuration — this turns on the DTMF masking and spoken-digit redaction features

• Not instruct your AI agent to ask for card data except through the PCI-compliant flow

• Restrict access to any call details (recordings, transcripts) to specifically authorized team members

Requesting our AoC

The Attestation of Compliance is a summary document signed by our Qualified Security Assessor that confirms our compliance with PCI DSS. We provide it under a mutual NDA.

Visit our Trust Center at trust.365agents.com and request the AoC. Most requests are fulfilled within one business day. If you're being asked for our full Report on Compliance (ROC) by your own auditor, we can arrange that as well — just note the request in the Trust Center ticket.