How To Set Up IVR Payment Without Storing Credit Card Data


Interactive Voice Response (IVR) payments allow customers to handle purchases and pay bills by interacting with an automated system.

This means your customers no longer have to go through the awkward moment of reading their card details out loud to one of your service agents. In turn, your employees can also move on to deal with more pressing issues while you enjoy the benefits of a healthier work environment and increased customer satisfaction—in most cases.

In some cases, IVR systems can be a target for hackers due to how they collect and store customer data like credit card details. Consequently, there’s a maze of compliance regulations you have to fulfill to have an IVR payment system in place.

Sure, it requires some extra work, but in the end, it can be well worth it—both for you and your customers.

IVR steps from greetings to a support specialist shown in a graphic from Nextiva.

Why Customers Love an IVR Payment Option

Think of IVR as an auto-attendant on steroids. If regular auto-attendants perform basic tasks, like routing calls or playing messages, IVR systems link to information databases.

As such, IVRs can answer questions, store customer behavior data, and of course, handle payments. These are just some of the ways that make IVRs so common among VoIP service providers.

IVRs also come with numerous benefits on the business side of things, like lowering customer service costs and employee turnover rates. But customers love this system as well, especially when it comes to payments.

Here’s why:

  • Self-service payments: Customers can make payments with the IVR alone, so there’s no need to share credit card details with a live agent. This makes the transaction process more comfortable.
  • Convenience: Customers can make payments 24/7/365. They don’t have to wait on hold for an agent or be time-restricted by customer service working hours.
  • Error-free transactions: Since IVR payments are automated, they eliminate most of the risks of clerical errors that come with manual data entry.
  • Security: IVR payment systems must be PCI DSS (Payment Card Industry Data Security Standard) compliant. This ensures that IVR payment systems go through a rigorous process to demonstrate that sensitive customer data is highly secure.
  • Accessibility: IRV payment systems offer multilingual menu options, which are perfect for minimizing communication errors and serving an international customer base.

IVR payment systems can be agent-assisted or self-serviced. Agent-assisted systems require customers to talk to a sales agent who will guide them through the transaction process.

However, agents don’t have access to the customer’s credit card details in this case—they just see whether the transaction was declined or approved, along with authorization codes. With self-service systems, customers interact directly with the IVR system, bypassing service agents altogether.

Compliance Challenges with IVR Payments

As mentioned, IVR payments need to go through a rigorous PCI DSS compliance process.

PCI DSS is a set of technical and operational standards mandated by credit card companies like VISA, Mastercard, and American Express. Any business that handles credit card payments has to follow these standards to handle transactions and data securely.

There are 12 steps and/or guidelines to this process:

  • Install and maintain firewalls: Firewalls act as a first line of defense against potential cyberattacks as they restrict traffic coming to and from your network.
  • Don’t use vendor-supplied defaults for passwords and other parameters: Default network and system security settings are easily exploited. Changing them with custom passwords is mandatory.
  • Protect stored customer data: Establish proper data storage and retention policies. Cardholder data should be kept for as little time as possible and purged regularly.
  • Encrypt cardholder data transmission: Any data transfer across public networks (such as internet, Bluetooth, satellite comms, and VoIP phone networks), requires solid security protocols and cryptography to ensure cardholder data protection.
  • Use and update antivirus software: Antiviruses are mandatory and must be updated regularly across every system that handles cardholder data.
  • Develop and maintain secure apps and systems: Any in-house or third-party software application should be checked for security vulnerabilities and patched if any issues are discovered.
  • Test security systems periodically: Regularly test system network, software, and component security.
  • Develop a security policy: Develop and maintain a security policy that includes a document risk assessment process, technology usage policies, an incident response plan for system breaches, a formal awareness program, and a security responsibility definition for all personnel.
  • Monitor access to cardholder data and network resources: Use logging mechanisms to track cardholder and network access. The audit trail history should be kept for at least a year.
  • Restrict physical access to cardholder information: Physical access to cardholder information—or systems that interact with it—must be restricted to ensure data integrity.
  • Only share cardholder information on a need-to-know basis: Give authorized employees just enough cardholder information to fulfill their tasks—nothing more.
  • Assign a unique ID/IP address to each user: Limit personnel access based on their individual permissions and maintain audit trails.

Keep in mind that each step or guideline is just a module and that each module has its own specific subset of requirements that have to be met. In total, there are over 200 items on the full checklist.

Yes, that may sound daunting, but if your IVR payment system is not PCI DSS compliant, you may face fines anywhere from $5,000 to $50,000 from credit card companies—and those are monthly fines.

Apart from fines, you may also face blemishes to your reputation and customer lawsuits that come after a data breach. Take the British Airways breach from 2019, for example.

Now, all of that being said, if you don’t want to deal with the hassle of handling credit card data, but you still want to offer IVR payment capabilities to your customers, you can always outsource it.

Outsourcing IVR Payments to Decrease Compliance Headaches

Given the hurdles brought on by PCI DSS compliance, many entrepreneurs have jumped in to take on these challenges for you as a service—just like you would hire someone else to do your company taxes.

Today, many IVR payment system providers already have the requirements in check, and you can think of them as the IVR version of Point-of-Sale (POS) providers. All you have to do is integrate your existing IVR or call center software within their system. Your customers will automatically be routed to your provider’s payment system, ensuring a seamless transaction process.

When customer credit card transactions are made through your provider’s system, you don’t have to deal with cardholder data or PCI compliance. Furthermore, IVR payment services are generally available from companies that also offer pay-by-link, web payment, and payment gateway solutions.

That said, there are some things to keep in mind when you’re in the market for an outsourced IVR payment provider.

Things to Consider When Choosing an IVR Payment System

PCI DSS Level 1 certification

PCI DSS compliance is split into four levels categorized by the number of credit card transactions a company handles per year.

For instance, PCI Level 4 is for businesses that process fewer than 20,000 transactions per year, while PCI Level 1 is given to companies that process over 6 million transactions each year. Mandatory security measures vary from level to level.

However, since PCI Level 1 deals with the largest amount of transactions, it also comes with the strictest requirements—which is why you may want to prioritize providers at this level.

Some of the PCI Level 1 requirements include an annual on-site audit by an internal security assessor (ISA) or qualified security assessor (QSA), a quarterly network vulnerability scan done by an approved vendor, and at least an annual cybersecurity penetration test.

Also, be on the lookout for additional certificates like NACHA and HIPAA to ensure your IVR provider’s security measures are compatible with your industry and can handle US electronic bank-to-bank payments.

System integrations and scalability

Keep an eye out for IVR payment solutions that integrate with your existing software, like accounting, ecommerce, CRM, and VoIP solutions.

This ensures you can stay operational before and after implementing the IVR payment system without any hiccups. Some IVR payment providers also offer custom integrations through APIs—which is excellent for scalability.

Similarly, it’s a good idea to consider IVR payment providers that allow you to add more features if needed, like call transcripts and the option to handle omnichannel payments.


Since IVR payments are all about making your customers happy, your provider should offer broad customization capabilities. The option to customize your payment options and automated prompts is crucial for improving the customer experience.

Meanwhile, personalized welcome messages and invoice templates allow you to keep things on-brand. Some IVR payment solutions even facilitate drag-and-drop customization, so look for that if it’s something that would make your life easier.


Overall, IVR payment outsourcing can do wonders for your company. It gives customer service agents time to handle more important issues, while your customers can handle payments quickly without worrying if their data is at risk.

Most importantly, it spares you from the migraines that come with PCI compliance, so consider giving it a shot. That said, do your due diligence and make sure your IVR provider of choice fulfills the criteria you need it to.

Source link

You might also like