Secure Telephone Payments: How PCI DSS Level 1 Compliance Protects Your Members

When a member reads their card number aloud over the phone, that moment carries real risk, for them and for your organisation. The exposure is brief, but the consequences of a data breach are not.

Chord UK is an operational partner to membership bodies across the UK, supporting everything from renewals and new member acquisition to event bookings and accreditations. We handle a significant volume of telephone payments on behalf of our clients, and that responsibility has driven us to raise the bar on payment security. We partner with both UK and international membership bodies.

That’s why we have implemented PCI Telecom, a fully PCI DSS Level 1-compliant solution for secure telephone card payments. This upgrade strengthens our compliance posture, eliminates unnecessary exposure of card data, and provides greater protection for both our clients and their members.

Why traditional telephone payments create compliance risk

Telephone payments remain an important channel for many membership organisations. For members who prefer speaking to a person rather than navigating an online portal, it’s a valued touchpoint — and one that needs to be protected.

Under the traditional process, when a member made a payment over the phone:

• Card details were read aloud by the member
• Our team manually entered them into the payment system
• Call recordings were paused in line with compliance procedures

While safeguards were in place, this approach relied on manual intervention at every step. Pausing recordings requires human judgment. Handling card data, even briefly, introduces the potential for error. And increasing regulatory expectations mean that organisations must move beyond risk management to risk elimination.

The PCI DSS framework has always been clear: cardholder data should be protected at every point of its journey. Spoken card details represent an exposure point that more robust solutions can remove entirely.

What Level 1 PCI DSS compliance actually requires

PCI DSS – the Payment Card Industry Data Security Standard – is the global framework designed to protect cardholder data across all payment channels. It is maintained by the PCI Security Standards Council and applies to any organisation that stores, processes, or transmits card data.

There are four compliance levels, determined by transaction volume. Level 1 is the highest standard, requiring an annual on-site audit by a Qualified Security Assessor (QSA), quarterly network scans, and the most rigorous set of technical and operational controls.

By implementing a fully Level 1 PCI DSS-compliant telephone payment solution, we ensure:

• Card details are never exposed unnecessarily
• Sensitive data is protected to the highest industry standard
• Organisational and reputational risk is significantly reduced

For membership bodies, this provides genuine reassurance that payment security is being managed proactively.

How encrypted keypad entry eliminates card data exposure

The member experience remains straightforward. What changes is that everything is happening behind the scenes.

When a member makes a payment over the phone, the call proceeds as normal. At the payment stage, instead of reading their card details aloud, the member enters them directly via their telephone keypad. The information is encrypted at the point of entry before it reaches any system or person.

This means:

• Card details are never spoken aloud
• Details are never visible to our team
• There is no manual handling of card data
• There is no reliance on pausing call recordings
• No sensitive details are stored or exposed in the process

The result is a seamless experience for the member and a meaningfully stronger security position for the organisations we support.

The benefits for membership organisations

This upgrade delivers tangible, practical benefits across four key areas:

• Enhanced protection for members: Card details are encrypted immediately and handled securely at source, removing a significant exposure point from the payment journey.
• Reduced organisational risk: Eliminating spoken card data dramatically lowers exposure to data breaches or compliance failures. Fewer touchpoints mean fewer vulnerabilities.
• Stronger PCI DSS compliance: Regulatory expectations around telephone payments are tightening. Keypad-entry solutions are rapidly becoming best practice, and early adoption positions organisations ahead of the curve.
• Greater member confidence: Since introducing the service, we have already seen an increase in payments made over the telephone. Security and convenience done well reinforce each other.

Why now? The future of secure telephone payment compliance

Regulatory focus on telephone payment security is intensifying. The PCI DSS v4.0 framework, which became mandatory in March 2025, places increased emphasis on protecting cardholder data across all channels, including voice. Organisations that continue to accept spoken card details over the phone face growing scrutiny and compliance exposure.

Transitioning to encrypted, keypad-entry solutions is no longer a future consideration; it is the expected standard. By implementing PCI DSS with PCI Telecom now, we are ensuring our clients remain ahead of these changes rather than reacting to them under pressure.

Our ongoing commitment to data security

For membership bodies, trust is hard-earned and easily lost. Your members have shared their personal and financial information with you because they believe you will protect it. That belief deserves to be backed by the highest available standards.

Investing in a fully Level 1 PCI DSS-compliant telephone payment solution reflects our commitment to:

• Protecting member data at every touchpoint
• Supporting strong governance and regulatory compliance
• Reducing operational and reputational risk for our clients
• Maintaining the highest industry security standards

This is more than a system upgrade. It is a proactive step toward a more secure, compliant, and future-ready payment environment for the membership sector.

Frequently Asked Questions

What is PCI DSS and why does it matter for membership organisations?

PCI DSS ( the Payment Card Industry Data Security Standard) is a global framework that sets the rules for how organisations must handle cardholder data. Any organisation that takes card payments is subject to it, regardless of size or sector. For membership bodies, compliance matters because you are processing payments on behalf of members who trust you with their financial information. A breach or compliance failure doesn’t just carry financial penalties, it can cause lasting damage to the trust your members place in you.

What makes Level 1 PCI DSS compliance different from other levels?

PCI DSS has four compliance levels, determined primarily by annual transaction volume. Level 1 is the most rigorous, requiring an annual on-site audit conducted by a Qualified Security Assessor (QSA), quarterly network vulnerability scans, and adherence to the most comprehensive set of technical and operational controls. Organisations at this level are held to the highest possible standard of cardholder data protection, which is why choosing a Level 1 certified solution for telephone payments provides the strongest available assurance.

Will the new payment process feel different for members calling in?

For members, the experience is very similar to making a payment over the phone in any other context, such as buying cinema tickets or booking a hotel. The call proceeds as normal, and at the payment stage, the member is prompted to enter their card details using their telephone keypad rather than reading them aloud. Most members find this familiar and straightforward. Since introducing the service, we have already seen an increase in telephone payments, which suggests members are comfortable with the process.

Are telephone payments still relevant, or should membership organisations move everything online?

Telephone payments remain an important channel for many membership organisations, and for good reason. Some members, particularly those who are less comfortable with online portals or who have a query they want to discuss while paying, strongly prefer speaking to a person. Removing the telephone option risks alienating a segment of your membership. The better approach is to make telephone payments as secure as digital ones, which is precisely what a Level 1 PCI DSS-compliant keypad-entry solution achieves.

How does this change affect Chord UK’s clients? Do they need to do anything?

No action is required from our clients. The transition to PCI Telecom has been managed entirely by Chord UK, and the upgrade operates seamlessly within our existing service. Clients benefit from the enhanced security and compliance posture without any changes to how they work with us. If you have specific questions about how this applies to your organisation or your members’ payment journey, our team is happy to walk you through it.