If You’re Using One of These Outdated Payment Security Methods, You're in Trouble

Blog

29 Oct 2025

  • Blog
  • If You’re Using One of These Outdated Payment Security Methods, You're in Trouble

Many contact centers still rely on outdated payment methods that were once “good enough” but now pose serious risks. Pause-and-resume recording, unmasked IVR, and static web forms leave organizations vulnerable to breaches, compliance failures, and lost customer trust.

In today's rapidly evolving digital ecosystem, contact centers have become critical touchpoints for customer engagement, service, and payments. As more consumers begin to prefer digital channels, the expectation for secure, seamless payment experiences has never been higher.  

However, while technologies and threats have advanced, many contact centers continue to rely on legacy payment security processes that are unfit for the modern threat landscape. While these practices were once "good enough," they now expose organizations to a dangerous mix of vulnerabilities, including cyberattacks, data breaches, regulatory non-compliance, and reputational damage. 

In an era where trust and data protection are top priorities for consumers, the consequences of falling behind are existential. Businesses that overlook payment security not only put their customers at risk but also jeopardize their brand credibility, compliance posture, and bottom line.  

It is no longer a question of if outdated methods will fail, but when. And when they do, the cost can be enormous.  

Outdated Payment Methods 

1. Pause-and-Resume Call Recording  

What is it?  

A method where the call recording is manually or automatically paused while a customer reads out their card number and resumes afterward.  

Why is it a problem?  
  • Human Error
  • For manual pauses, there is a risk that the agent forgets to pause or resume at the right moment.
  • Even with automated triggers, misconfigurations or system glitches could accidentally capture sensitive data.
  • Not a Full PCI Scope Reduction
  • Even if recordings are protected, agents still hear and see card data, so the contact center remains "in scope" for PCI DSS audits.
  • Limited to Voice Channels
  • It does not address compliance risks in digital channels, such as chat, email, or social media.   
  • Residual Risk
  • Other artifacts (screen recordings, agent notes, log files) may still contain card data. 

 

2. Unencrypted or Static Web Forms  

What is it?  

Web forms hosted on unsecured or outdated platforms where customers enter card details directly into a browser-based form.  

Why is it a problem?  
  • Increased PCI DSS Scope
  • Any server that hosts the form or processes the submission is automatically within the scope of PCI DSS.
  • Static (Non-Secure) Forms Store Data Locally
  • Static or poorly coded forms may temporarily store data in HTML, hidden fields, browser caches, or log files, which creates unnecessary copies of sensitive cardholder information that are hard to secure or delete.
  • Risk of Injection and Skimming Attacks
  • Static forms are vulnerable to JavaScript injection attacks, where attackers can silently skim card data as it is entered.
  • Data Exposure in Transit
  • Attackers can intercept cardholder data if a web form does not use encryption (HTTPS/TLS). 

 

3. IVR Payments Without DTMF Masking  

What is it?  

Customers use their phone keypad to enter payment details in an IVR system, but the tones (DTMF signals) are not masked or are recorded and stored.  

Why is it a problem?  
  • DTMF Tone Capture & Replay
  • Without DTMF masking, key tones can be:
  • Recorded (e.g., in call recordings)
  • Replayed or decoded back into card numbers by anyone with access
  • Call Recording Vulnerabilities
  • Many IVR systems record calls by default for quality or training, and if masking is not in place, the full PAN and CVV may be captured, stored, and exposed in call archives.
  • Insider Threats & Unauthorized Access
  • Technical staff with access to IVR systems, call recordings, or logs could extract card details. Even well-meaning staff may unintentionally expose data.
  • Man-in-the-Middle Attacks
  • Attackers can intercept unmasked DTMF tones as they traverse telephony networks or VoIP systems and harvest data in real-time. 

 

4. Locally Installed Desktop Payment Software  

What is it?  

Agents process payments using software installed directly on desktop computers, often legacy applications tied to on-premise infrastructure.  

Why is it a problem?  
  • Expanded PCI Scope
  • Every workstation running the software becomes part of the cardholder data environment.
  • Local Data Storage & Residual Artifacts
  • Temporary files, logs, caches, or crash dumps may inadvertently store PANs or CVV data.
  • Endpoint Security Weaknesses
  • Desktops are vulnerable to malware, keyloggers, and screen-scraping attacks.
  • Patch & Version Management
  • Keeping every local installation up to date is challenging to scale, and unsupported or outdated software versions can introduce vulnerabilities that compromise PCI DSS compliance.
  • Inconsistent Controls
  • Unlike centralized or cloud solutions, local installs can result in inconsistent security settings, like weak passwords, lack of encryption, and missing MFA.
  • Audit & Monitoring Gaps
  • Logging and monitoring user activity is harder on distributed desktops.  

 

5. Email or Faxed Card Details  

What is it?  

Customers submit their payment information by email or fax, particularly for B2B transactions or in industries such as travel or real estate.  

Why is it a problem?  
  • Unsecure Channels
  • Email is unencrypted, and attackers can intercept cardholder data in transit.
  • Cardholder data can be exposed through fax if it is left on shared machines, printed, or misdirected to the wrong number.
  • Persistent Storage
  • Emails sit in inboxes, sent folders, archives, and backups, making them extremely hard to delete completely.
  • Faxes may be scanned, archived digitally, or stored physically.
  • Expanded PCI DSS Scope
  • Any system that stores, transmits, or processes cardholder data is subject to PCI DSS. That means mail servers, fax servers, storage, and even backup systems must all meet PCI DSS controls, which is impractical and costly.
  • Difficult to Control Access
  • Multiple employees, IT administrators, or third parties may have access to email or fax systems, increasing the risk of insider misuse or accidental exposure. 

 

Next Steps: Modernize Your Payment Security Process 

Outdated methods like pause-and-resume recording, static web forms, unmasked IVR payments, local desktop software, and email or fax were once considered sufficient. Today, they represent serious weak points that expose organizations to unnecessary PCI DSS scope, cybercrime, operational inefficiency, and reputational harm. 

Legacy processes cannot keep pace with modern threats or customer expectations. Customers want frictionless, trustworthy payment experiences across every channel, and regulators demand that businesses demonstrate robust, verifiable security controls. Clinging to older practices does not just increase risk; it undermines competitiveness. 

Forward-thinking organizations are removing card data from their environment entirely. By adopting secure, cloud-based payment solutions that descope sensitive data from the contact center, businesses can: 

  • Reduce PCI DSS scope and simplify compliance
  • Strengthen protection against fraud and breaches
  • Lower long-term costs tied to audits, remediation, and monitoring
  • Deliver the seamless, secure experience that customers expect 

Payment security is a deliberate differentiator. Organizations that replace outdated methods with modern, compliant solutions will not only safeguard their customers but also earn the trust that fuels lasting loyalty and growth. 

 

Contact us to learn how Eckoh has helped organizations like yours descope from PCI DSS compliance across every customer engagement channel. 

Get in Touch