IVR (Interactive Voice Response)
What is an IVR phone system?
IVR (Interactive Voice Response) is an automated phone system that allows users to interact with a call center using DTMF tones (keypad inputs) or voice commands. In the payments environment, IVR functions as a secure collection channel where the cardholder can enter their card details to complete a transaction.
Any company with a call center that accepts phone payments operates a card‑data environment subject to the same regulatory requirements as a virtual POS or a physical payment terminal.
How an IVR system works
The operational flow of a payment IVR follows this sequence:
- Reception and menu. The system answers automatically, plays a voice menu and the user selects options using DTMF tones or voice recognition (ASR).
- Payment data capture. The IVR requests the card number, expiry date and verification code. Digits are captured as DTMF tones and transmitted encrypted to the processor.
- Authorization. The payment gateway sends the request to the issuing bank and the system plays the result to the user in real time.
- Closure or escalation. If the transaction fails, the call is transferred to an agent with the context already collected.
When an IVR captures card data through DTMF tones, those tones are considered cardholder data (CHD) under PCI DSS v4.0 and must be protected with point‑to‑point encryption throughout the entire transmission.
Regulatory impact and applicable security
An IVR that processes payments falls within the scope of PCI DSS v4.0:
- Requirement 3: If the system records calls, DTMF tones containing the PAN must be masked before storing the recording.
- Requirement 4: Strong cryptography must be used to encrypt transmissions between the IVR and the payment gateway.
- Requirement 8: Administrative access to the IVR must be protected with multi‑factor authentication (MFA).
| Regulation | Application to payment IVR |
|---|---|
| PCI DSS v4.0 | Encryption and masking of card data in recordings and transmissions |
| PSD2 / RDL 19/2018 | MOTO exemption from SCA, with mandatory traceability and operational security |
| GDPR | Consent and minimization of captured personal data |
Under European regulations, PSD2 and Royal Decree‑Law 19/2018 require strong customer authentication (SCA) for electronic payments. Telephone payments classified as MOTO (Mail Order / Telephone Order) are exempt from SCA, but this exemption does not remove PCI DSS obligations or GDPR requirements.
Operational advantages and disadvantages of IVR
Advantages:
- 24/7 payment channel. Customers can pay outside business hours, reducing abandonment in phone‑based businesses.
- Reduced PCI DSS scope. A segmented IVR prevents agents from hearing card data, removing the call center from the cardholder data environment (CDE).
- Scalability. Handles volume spikes without hiring additional staff.
Disadvantages:
- User experience friction. Menu trees with more than three levels significantly reduce payment completion rates.
- Compliance cost. Maintaining a PCI‑compliant IVR requires audits, encrypted recordings and network segmentation.
- Impersonal perception. Lack of human interaction may reduce trust in high‑value transactions.
Was this term useful?
Leave a Comment