PCI Compliance & Sensitive Data Handling
Capacity Voice supports PCI DSS Level 1 Service Provider compliance for voice interactions that handle sensitive payment and personal data. This article explains how sensitive data protection works within Guided Conversations, what is and isn't supported, and best practices for building flows that collect sensitive information.
Important: PCI compliance for sensitive data handling is currently supported for Capacity Voice (IVA) only. It is not available for chat-based Guided Conversations or other channel types at this time.
How It Works
When a Guided Conversation voice flow reaches a Collect Info card that has been configured to collect sensitive data, Capacity automatically protects that information across the entire interaction. Here is what happens behind the scenes - without requiring any additional configuration on your part:
- Immediate redaction: The caller's spoken input is intercepted as soon as it is received. The sensitive value is tokenized and encrypted, and only a redacted string (e.g.,
****-****-****-1111for a credit card number) is passed to all downstream systems. - Call recording protection: During the window when sensitive data is being spoken, the audio in the call recording is replaced with a 1kHz tone. The caller's actual card number, SSN, or other sensitive input is never captured in the WAV recording file.
- No plaintext storage: The redacted string is what appears in call logs, transcripts, message logs, and conversation variables. The original value is stored in an encrypted format with a 24-hour time-to-live (TTL) and can only be retrieved explicitly via a secure reference token - for example, to pass the value to a payment API.
- All surfaces protected: Redaction applies across call logs, transcripts, call recordings, and internal observability tooling, so sensitive data does not appear in any logs or monitoring systems.
This approach means that callers' sensitive data is never stored in plaintext at any point in the system, and is never replayed back in the conversation.
Supported Data Types
When marking a Collect Info card as collecting sensitive data, you select the type of information being collected. The following types are supported:
- Credit Card Number - Built-in validation using standard card number patterns (Luhn algorithm). No additional configuration required.
- Social Security Number - Built-in validation for SSN format. No additional configuration required.
- Other - For other sensitive values (e.g., account PINs, passwords). Optional regex validation can be provided to validate the format of the input.
Limitations
- Voice only: Sensitive data handling via the Collect Info card toggle is only available for Capacity Voice IVA flows. It is not supported in chat, SMS, or other channel types at this time.
- Collect Info cards only: Sensitive data must be collected using the Collect Info card with the sensitive data toggle enabled. AI Agent cards cannot be used to collect sensitive data and are not PCI compliant for this purpose. If your flow uses an AI Agent card and requires PCI-compliant data collection, you must route to a dedicated Collect Info card step before collecting the sensitive input.
- No repeat back: Because the sensitive value is immediately redacted, it cannot be read back or confirmed to the caller. Your flow design should account for this - for example, by asking the caller to confirm a non-sensitive subset of the data (such as the last four digits of a card number) if confirmation is needed.
- One retry on validation failure: If the caller's input fails validation, a retry message is returned automatically. After one failed retry, the flow routes to a configured fallback exchange. There is no option for more than one retry.
Best Practices for Building Flows with Sensitive Data
Use Dedicated Collect Info Cards for Sensitive Inputs
Always collect sensitive data - credit card numbers, SSNs, PINs - using a Collect Info card with the This card collects sensitive data toggle enabled. Do not attempt to collect sensitive data through AI Agent cards, open-ended free-text prompts in other card types, or by parsing sensitive values from longer responses. The sensitive data toggle is the mechanism that triggers redaction and recording protection.
Place Sensitive Data Collection at a Discrete Step
Design your flow so that sensitive data collection is a clearly separated step. Place the Collect Info card immediately after any context-setting message (e.g., "I'll now collect your payment information") and before any cards that process or route based on that data. This makes it easier to reason about what is and isn't protected, and makes the flow easier to audit.
Do Not Pass Sensitive Variables to AI Agent Cards
Conversation variables that hold sensitive data are stored as redacted strings. Do not pass them as inputs to AI Agent cards. The AI Agent card is not designed for PCI-compliant handling, and passing sensitive variables to it is not supported. If post-collection processing is needed, use an App Action card to make the appropriate API call using the secure reference token.
Configure a Meaningful Fallback Route
When configuring a Collect Info card for sensitive data, you must select an On Validation Failure route. This determines where the flow goes if the caller's input fails validation twice. Configure this to route to a live agent transfer, a helpdesk ticket, or a fallback message that gives the caller alternative options - rather than simply ending the conversation.
Set a Clear Retry Message
The retry message is returned to the caller if their input fails the first validation attempt. The default message is: "I'm sorry but the provided information could not be validated. Please repeat with the correct format." You can customize this message, but keep it clear and non-technical - the caller should understand they need to try again without being given information that could help them guess or circumvent validation.
Inform Callers Upfront
Use a Simple Message card before the Collect Info card to let callers know they are about to provide sensitive information and that it will be handled securely. This sets expectations and reduces caller hesitation. For example: "I'll now collect your credit card number. This information is protected and will not be stored in our records."
Test Your Flow Before Going Live
Before deploying a flow that collects sensitive data, test the full path including validation failure and fallback routing. Confirm that call recordings and transcripts show redacted values and not plaintext sensitive data. Confirm that the fallback route works as expected for callers who cannot provide valid input.
Frequently Asked Questions
Can a caller's credit card number be repeated back to them for confirmation?
No. Once the sensitive value is collected, it is immediately redacted and cannot be read back. Your flow can confirm a non-sensitive portion of the data (such as asking the caller to confirm the last four digits) but the full value cannot be surfaced in the conversation.
Can I use a Logic card after a sensitive Collect Info card to branch based on the collected value?
No. The value stored in the conversation variable will be a redacted string, not the original value. Logic conditions based on the sensitive variable's content will not work as expected. Use validation within the Collect Info card itself to handle invalid input, and use the fallback route for failure cases.
What happens if an AI Agent card is reached after sensitive data has been collected?
The AI Agent card will see only the redacted string in the conversation variable, not the original value. AI Agent cards cannot be used to collect or process sensitive data directly.
Does this apply to chat-based Guided Conversations?
No. At this time, PCI-compliant sensitive data handling via the Collect Info card toggle is available for Capacity Voice IVA only.