Payment Card Industry Programmable Voice workflows
Learn how to configure Payment Card Industry (PCI) compliant workflows in Twilio Programmable Voice to securely handle and redact sensitive payment card details. You can use this guide to implement self-service automation, build inbound contact centers, and build outbound contact centers.
See Related reference documentation to learn more about the TwiML elements used in this guide.
Customers are required to enable PCI Mode in their Twilio Voice settings per account for Programmable Voice workflows subject to PCI. Enable PCI Mode from the Voice general settings page in Twilio Console or the legacy Console. Enabling PCI Mode on your Account redacts sensitive payment details captured using Twilio Programmable Voice and <Pay>.
If you enable recording as part of your PCI Mode voice workflows, any PCI Voice Recordings captured in that particular account, will be retained for one (1) year from creation, by default. If you want to retain Voice Recordings longer than one (1) year, you must download them using the API or Console before the one-year retention period expires. Voice Recordings will be deleted automatically and permanently on the one-year anniversary of creation. Voice recordings that are deleted using the REST API will be permanently deleted and there will be no recovery.
To transcribe Voice Recordings, customers must use the Voice <Transcription> noun, Native and Marketplace transcriptions are not available when PCI Mode is enabled and as a result Twilio will not transcribe the Voice Recordings.
Once PCI Mode is enabled, it cannot be disabled for that Account. See Twilio's Responsibility Matrix and Programmable Voice Documentation to learn more about your obligations when using Programmable Voice in a PCI workflow.
Conversation Relay supports PCI-compliant Voice workflows when configured with PCI-compliant TTS and transcription providers. Not all TTS providers and transcription providers available for Conversation Relay are guaranteed to be PCI compliant. Refer to Twilio's Responsibility Matrix for further information. Conversation Intelligence (classic) is not PCI compliant and must not be enabled in Conversation Relay workflows that are subject to PCI. If PCI Mode is enabled for your account, Conversation Relay transcripts will be rejected by Conversation Intelligence (classic).
This guide covers a feature that can support the following use cases:
You can use the feature in this guide to build more secure payment lines where customers can input credit card numbers using their telephone keypads. To learn more advanced features that you can use with self-service automation, see Voice self-service automation.
You can use the feature in this guide to help protect cardholder information when live support agents accept payments over incoming phone calls. To learn more advanced features that you can use with inbound contact centers, see Voice inbound contact center.
You can use the feature in this guide to help comply with data safety rules during proactive outbound collection campaigns or account renewals. To learn more advanced features that you can use with outbound contact centers, see Voice outbound contact center.
Explore the following guides to build on what you've learned in this guide:
- How to capture your first payment using
<Pay>: Collect credit card records during calls using the TwiML<Pay>noun to securely process transactions.