PCI DSS Telephone Payment Scope Review

Inspection template for reviewing PCI DSS scope in telephone payment environments, including agents, desktops, headsets, call recordings, telephony systems, and data flows involved in spoken card payments.

Inspection Scope and Environment

• Review scope documented for all telephone payment channels
  Confirm the inspection explicitly covers inbound, outbound, transferred, and callback payment calls where card data may be spoken.
• Business units and locations included in scope identified
  List the departments, sites, queues, and remote work locations where agents handle spoken card payments.
• Current payment flow diagram available and reviewed
  Verify a current data flow diagram exists showing where cardholder data enters, traverses, is paused, is recorded, or exits the environment.
• PCI scope owner identified
  Record the person or role responsible for maintaining telephone payment scope and coordinating remediation.

Agent Workstations and User Access

• Agent desktops used for payment calls are identified and inventoried
  Confirm each workstation used during payment calls is listed with asset ID, location, and assigned user group.
• Payment-call workstations are restricted to authorized users
  Verify access to in-scope desktops is limited to approved agents and support personnel with a business need.
• Screen lock and session timeout configured on agent devices
  Confirm workstations lock after inactivity and require re-authentication before access is restored.
• No local storage of cardholder data on agent endpoints
  Verify agents are not storing card numbers, CVV, or related payment data in notes, files, screenshots, clipboard tools, or browser caches.

Telephony, Headsets, and Call Recording

• Headsets and softphone endpoints used for payment calls identified
  Confirm the specific headsets, softphones, desk phones, and related endpoints used during card payment calls are documented.
• Call recording captures are paused or masked during card entry
  Verify the recording solution prevents storage of spoken card data through pause/resume, masking, DTMF suppression, or equivalent approved control.
• Recording retention and access controls documented
  Confirm retention periods, access permissions, and review controls for recordings that may contain cardholder data are documented and enforced.
• Telephony network segmentation reviewed
  Verify the voice environment is segmented from non-in-scope networks where required and that any shared services are documented with data flow impact.

Systems, Integrations, and Data Flows

• All systems touching payment-call data identified
  List CRM, ticketing, IVR, payment gateway, recording, analytics, remote support, and workforce tools that may interact with card data or payment metadata.
• Cardholder data flow path documented end to end
  Describe where card data originates, where it is spoken, whether it is transcribed, where it is transmitted, and where it is stored or discarded.
• No unnecessary systems receive cardholder data
  Verify only approved systems are in the payment path and that logging, transcription, screen capture, and support tools do not receive card data unless explicitly required and controlled.
• Third-party processors and service providers identified
  Record any external vendors, hosted services, or telecom providers that may be in PCI scope due to their role in the payment call flow.

Controls, Exceptions, and Closeout

• Open deficiencies or non-conformances documented
  Record any gaps found during the review, including missing segmentation, uncontrolled recordings, or unidentified in-scope assets.
• Remediation owner and due date assigned for each finding
  Confirm each deficiency has an accountable owner, target completion date, and follow-up plan.
• Qualified Security Assessor consultation required if scope is unclear
  Confirm whether the organization will consult a Qualified Security Assessor or equivalent PCI specialist for ambiguous scope boundaries or control design questions.
• Inspector sign-off completed
  Inspector confirms the review was completed based on observed evidence and available documentation.