PCI DSS solution for card payment by phone and call recording

CardEasy enables you to de-scope your call centre environment and call recordings from PCI DSS, reducing the risk and costs associated with managing card payment transactions in your contact centre, as well improving customer trust and average call handling times.

Watch our demo to see how CardEasy works.

How does CardEasy work?

  1. A caller wishes to pay by card over the phone
  2. The contact centre agent initiates a request for card authorisation in mid-conversation with the caller
  3. The caller is prompted to enter their card number via their telephone keypad
  4. The audio from the agent to the caller remains open throughout
  5. Audio from the caller to the agent is cut briefly while the middle six digits of the long card number (PAN and the CV2) are entered, to ensure that there is no way the agent (nor the call recording) can be exposed to the card number by hearing either the DTMF tones or the caller reading out the numbers
  6. The complete call can be recorded but the sensitive DTMF tones are masked from the recording as well
  7. The agent is alerted via their screen when payment has been authorised.

Taking payment using CardEasy

What’s special about CardEasy?

CardEasy enables you to comply fully with PCI DSS as follows:

  • Your agents will not be exposed to callers’ sensitive card numbers
  • Card numbers will not be stored in your call recordings or captured in screen recordings
  • As the sensitive card numbers do not enter your contact centre or network, this de-scopes this environment almost completely from PCI DSS regulations and audit requirements
  • Your agents can talk to the caller throughout to control the call and transaction. CardEasy automatically blocks the audio in the direction of the agent just during capture of the ‘middle six’ digits of the PAN and also the CV2 to prevent your agents and call recording system from overhearing or capturing these sensitive details, even if the customer reads them out whilst entering them using their telephone keypad.

  • CardEasy also offers you a customer self-service autopay option (IVR) for when no agent assistance is required, such as balances payable.

Note that ‘pause and resume’ solutions for call recording – which cut the call recording at the point at which the agent asks for the card details – will still leave the agent exposed to them. This means that the contact centre environment and agents are still ‘in scope’ for PCI DSS regulations and open to the risk of fraud, exacerbated because the critical part of the call is not recorded. Such systems do not therefore offer full PCI DSS protection/de-scoping and can expose your contact centre to ongoing security risks.

Hosted or premise-based?

The system is available in Syntec either network-hosted or hybrid premise-based (CPE) versions, supporting both SIP, ISDN or any mix of the two. If you have SIP-based telephony you may opt for a fully cloud-based variant which removes the need for any premise-based equipment. All versions use the CardEasy cloud for their PSP connections and the hybrid and cloud options work with your existing telephony provider.

In the case of a hybrid CPE- based solution, CardEasy hardware is located on the customer’s premises installed between the ISDN30e/SIP lines and the telephone system.  All inbound and outbound calls are routed via the CardEasy hardware supporting ISDN30e/SIP lines from any network provider. The CardEasy hardware captures the PAN and CV2 entered by the customer using their telephone keypad, with the agent remaining in conversation with the customer throughout.  This data is then conveyed to the CardEasy core network over a secure link. Further hardware at Syntec collates this information and forwards it to the PSP for processing, returning the result to the agent (and back office systems if required) in real-time.

In all cases CardEasy is offered as a fully managed service and offers you full PCI DSS de-scoping. If you use the hybrid premise-based solution then you will be responsible only for the physical security of the appliance.

Cost-effective compliance

Using CardEasy saves you time and money by taking your call centre operations out of scope from PCI DSS controls, whilst removing the need for time consuming oversight and PCI audits. Set up costs are low and ongoing managed service costs are ‘per agent’ or ‘per channel’ depending on your organisation’s requirements, so can be linked directly with your channel/agent utilisation.

What our customers say

“CardEasy ‘keypad payment by phone’ was the perfect fit to resolve the PCI compliance and data security needs in Staples’ major call centres in Europe. This was because of its ease of use mid-call, the breadth of PCI DSS issues it resolves in one go,  the flexibility of integration with all our differing systems and the ability for them to meet our tokenisation requirements”

We wanted to further enhance data security in our call centre and decided to use Syntec’s secure phone keypad payment (DTMF), as it’s important to our customers that our payment solution is safe and easy to use.

CardEasy works just as effectively for callers in the USA, Germany and Australia as in the UK.

The CardEasy solution easily de-scopes us from PCI DSS compliance and mitigates the risk of any internal fraud. The platform is scalable and easy to use…along with the confidence we have in Syntec who have been instrumental in a smooth implementation, guiding us and offering insight.

We have been impressed by the flexibility, ease of integration and support of the CardEasy system, as well as its PCI DSS security to protect in-house operations and our outsourced service providers in the USA and EMEA.

Miele selected Syntec’s pioneering, hosted CardEasy system to enrich customer service whilst de-scoping us from large sections of PCI DSS regulations, which otherwise require significant cost and effort to satisfy.


What makes Syntec’s CardEasy payment service stand out is that to customers it is so much more secure.


Benefits of CardEasy

  • Customers enter their credit card number and 3 digit security code mid-call with the agent, using their phone keypad (DTMF touchtones).
  • Your agents, whether in your contact centre, working from home or in an outsourcer, cannot see or hear the card information and it is not stored in the call recording.
  • Tokenisation, card scheme surcharging and BIN look-up are all supported.
  • Works either as a network-hosted solution or a hybrid, premise-based system or in the cloud, depending on how your call traffic is managed.
  • Customer self-service autopay version (IVR) also lets you take secure payments out of hours or without the need for an agent.
  • Partnered with all major payment gateways /service providers and can easily be integrated with your back office and CRM systems.
  • Speech recognition module available (in different languages) as well as SMS and secure webchat and email payment and bank debit options.

What our partners say

Worldpay is a recognised leader in security and risk. Our joint proposition with Syntec offers a secure transaction service while removing the need for call centres to have onerous annual PCI audits.

Realex is delighted to be partnering with Syntec’s CardEasy ‘keypad payment by phone’ technology, which is fully integrated with the Realex payment gateway. This enables our customers to de-scope call centres, outsourcers and home-workers from PCI-DSS regulations and audits, whilst providing seamless and secure MOTO transactions.

Find out more about our integrated Payment Gateway partners.