IntraNext Systems

391 Inverness Parkway, Suite 111 Englewood, CO 80112 Phone: 303.799.0771 Toll Free: 888.638.6398

PCI Compliance for Your IVR Could be Easier than You Think

February 21, 2019

The PCI Council recently released guidance on protecting telephone-based payments, and lightly touched on the concerns around protecting “unattended transactions”.

Unattended transactions are defined as transactions that happen without an agent’s involvement. Typically unattended transactions are handled by Interactive Voice Response systems (IVR), and the IVR continues to be a front line system for a variety of reasons:

  • Cost savings associated with staffing less agents
  • Ability to handle large payment volume 24x7x365
  • Consumer preference for self-care technology options

All of these are valid reasons and support the option for companies that handle credit card payments to offer this option; however, one area that is often overlooked is the amount of network systems that have access to the IVR. That brings us to the topic at hand…..can you descope an IVR?

Like any environment that handles credit card data, premise-based IVRs must meet the PCI DSS requirements since the customer’s Primary Account Number (PAN) and Sensitive Authentication Data (SAD) passes through the system, and an inconvenient byproduct is that it can force connected applications and systems to fall under the same requirements - especially systems on the same network as the IVR.

But what if your premise-based IVR and the adjunct internal systems attached to it could be completely removed from PCI scope? Your QSA’s workload would be slashed reducing the financial liability of the PCI assessment. Your CISO and CFO would approve. Anytime you can reduce the amount of systems that customers’ sensitive data traverses, you’re a step ahead in the ever-evolving world of data security. Sound complicated? It’s really not.

IntraNext’s patented VoIP security application, SmartSIP™, can be integrated in front of your existing IVR where customer entered digits are extracted before entering the IVR. The native values are replaced with semaphores (substitute values that meet MOD-10/Luhn validation) to satisfy the IVR collection and validation process. At the point when the IVR script would normally send the payment (or tokenization) transaction to the appropriate system, it is modified to send the transaction to the SmartSIP server instead. SmartSIP replaces the semaphore with the customer’s captured information, and then initiates the transaction on behalf of the IVR. Processor responses are passed back to the IVR and the call flow continues as designed. Since the PAN/SAD was captured and temporarily retained in SmartSIP’s encrypted server memory, the IVR and all downstream/connected systems are removed from PCI scope. The only elements that are in-scope are the Session Border Controller and the SmartSIP server. 

The high-level flow looks like this:     

When SmartSIP is deployed, the IVR and any adjunct systems can be removed from PCI scope, shrinking the card data environment to the smallest possible footprint. Sophisticated technology, but not a complicated process or deployment.

Contact Victoria Becker at or 720-873-6559 to schedule a demo or request additional information.

SmartSIP™ is a trademark of IntraNext Software, Inc. DBA IntraNext Systems and incorporates US Patent No. 9,881,178, issued January 30, 2018.