PCI DSS Compliance

1. Overview

ProtoVoice is committed to protecting payment card data in compliance with the Payment Card Industry Data Security Standard (PCI DSS). While ProtoVoice does not directly store, process, or transmit cardholder data, we partner with PCI DSS Level 1 certified payment processors to ensure all payment transactions meet the highest security standards.

2. What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the PCI Security Standards Council, founded by major card brands including Visa, Mastercard, American Express, Discover, and JCB. PCI DSS applies to all entities that store, process, or transmit cardholder data and aims to protect cardholders from fraud and data breaches.

3. Our Approach to Payment Security

ProtoVoice uses a tokenization-based approach where payment card numbers never touch our servers. When customers make payments through our platform, card data is sent directly to our PCI-compliant payment processor (Stripe), which returns a secure token. We store only these tokens, which cannot be used outside our specific integration and pose no risk if exposed.

4. Payment Processor Compliance

• Stripe: Our primary payment processor, certified as a PCI DSS Level 1 Service Provider—the highest level of certification.
• Tokenization: All card data is tokenized at the point of entry, never stored on ProtoVoice systems.
• Encryption: All payment communications use TLS 1.2 or higher encryption.
• Regular Audits: Our payment partners undergo annual PCI DSS assessments by Qualified Security Assessors (QSAs).

5. Voice-Based Payment Collection

• DTMF Masking: When callers enter card numbers via phone keypad, the tones are masked and not recorded.
• Secure Handoff: Payment collection is handed off to PCI-compliant systems, not processed by AI agents.
• No Storage: Card numbers spoken during calls are not transcribed or stored.
• Call Recording Pause: For customers with payment collection enabled, call recording automatically pauses during payment entry.
• Agent Training: Our AI agents are designed to never repeat back full card numbers.

6. PCI DSS Requirements We Address

• Requirement 1: Install and maintain network security controls—Our infrastructure uses firewalls, segmentation, and WAF protection.
• Requirement 3: Protect stored account data—We use tokenization and never store actual card data.
• Requirement 4: Protect cardholder data with strong cryptography during transmission—All data in transit uses TLS 1.3.
• Requirement 7: Restrict access to system components and cardholder data—Role-based access controls limit who can access payment systems.
• Requirement 9: Restrict physical access to cardholder data—Our cloud infrastructure providers maintain physical security certifications.
• Requirement 12: Support information security with organizational policies—We maintain documented security policies and procedures.

7. Scope Reduction

By using tokenization and directing all payment data to PCI-compliant third parties, ProtoVoice significantly reduces PCI DSS scope. This approach means that our systems are not in-scope for most PCI DSS requirements because cardholder data never enters our environment. Customers benefit from simplified compliance and reduced risk.

8. Customer Responsibilities

• If you use ProtoVoice to collect payments, you remain responsible for your own PCI DSS compliance.
• Ensure your integration with ProtoVoice follows secure coding practices.
• Do not configure AI agents to request or store full card numbers in conversation logs.
• Review and accept our payment processing terms before enabling payment features.
• Report any suspected payment security incidents immediately.

9. Additional Security Features

• Fraud Detection: Integration with payment processor fraud detection and prevention tools.
• Velocity Controls: Configurable limits on transaction frequency and amounts.
• Address Verification: AVS checks to verify billing addresses.
• CVV Verification: Card security code validation on all transactions.
• Dispute Management: Tools to manage chargebacks and payment disputes.

10. Compliance Documentation

ProtoVoice can provide Attestation of Compliance (AOC) documentation from our payment processors upon request. For customers undergoing their own PCI DSS assessments, we can provide documentation describing our payment architecture and scope-reduction approach. Contact our compliance team to request documentation.

11. Contact Us

For questions about payment security, PCI DSS compliance, or to request compliance documentation, contact our Security Team at compliance@protovoice.ai or write to: ProtoVoice, Inc., Attn: Payment Security, 7975 N Hayden Rd STE A210, Scottsdale, Arizona 85258.