Give Your Business a Voice That Never Misses a CallTry it for free and get launch perks.
Click here to register
PCI DSS Compliance
Chatley AI supports PCI DSS-compliant deployments for customers operating in retail, restaurant, e-commerce, financial services, and other payment-handling industries. Our voice infrastructure operates on PCI DSS Level 1 certified infrastructure. Cardholder data is never recorded, transcribed, or stored in Chatley AI systems when correctly configured.
PCI DSS Compliance Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment.
Chatley AI's voice infrastructure runs on PCI DSS Level 1 certified infrastructure — the highest level of PCI certification. Our PCI compliance posture is achieved through three layers that must all be correctly implemented:
| Layer | Summary |
|---|---|
| 1. PCI flag | Enable at the agent level to activate payments-sensitive handling on certified voice infrastructure. |
| 2. Collection method | Use DTMF or an approved payment link — never spoken card numbers. |
| 3. Artifact suppression | Disable recording/transcription for the payment segment so card data never appears in logs or transcripts. |
When all three layers are correctly configured, cardholder data (PAN, CVV) never enters any Chatley AI system. It is never spoken, never transcribed, never stored.
Compliance Status
| Area | Posture | Notes |
|---|---|---|
| Voice infrastructure | PCI DSS Level 1 | Underlying provider maintains the certified cardholder environment. |
| Chatley AI application | Configured per guidance | You must enable PCI mode, compliant collection, and suppression as described on this page. |
| Customer responsibility | Shared | Final PCI scope depends on your payment flow and acquirer requirements. |
How PCI Compliance Works
Step 1 — Enable the PCI Flag
The PCI compliance flag must be enabled at the agent configuration level. This activates payments-sensitive mode on the underlying voice infrastructure, which disables certain storage and logging behaviors.
Available on: Premium ($399/month) and Enterprise plans only.
Enabling the PCI flag alone does not constitute PCI compliance. All three steps must be implemented.
Step 2 — Use a Compliant Payment Collection Method
Payment card data must never be collected by asking the caller to speak their card number. Spoken card numbers are not compliant under any configuration, regardless of whether the PCI flag is enabled.
Compliant collection methods:
| Method | Description |
|---|---|
| DTMF capture | Caller enters digits via phone keypad; audio of tones is not retained as cardholder data when configured correctly. |
| SMS payment link | Send a secure hosted payment page; entry occurs outside the voice transcript when configured correctly. |
Step 3 — Artifact Suppression
Recording and transcription must be disabled for the segment of the call during which payment information is being collected. This is configured at the agent level and ensures no cardholder data enters the transcript or recording.
What Is Never Stored
When PCI compliance is correctly configured, the following data never enters any Chatley AI system:
- Primary Account Number (PAN) and full magnetic-stripe or chip data
- Card verification values (CVV/CVC/CID) and PIN blocks
- Sensitive authentication data as defined under PCI DSS
Security Controls
Network Security
- TLS and modern protocols for data in transit between clients and the Services
- Segmentation and monitoring practices aligned with our hosting and architecture
Application Security
- Secure development practices, dependency management, and testing
- Authentication, authorization, and session protections for the Chatley AI application
Access Controls
- Role-based access and least-privilege for Chatley AI personnel supporting the platform
- Customer-controlled access to your workspace, agents, and integrations
Encryption
- Encryption for data in transit; encryption at rest where applicable to our systems
- Key management practices consistent with our infrastructure providers
Security Incident Response
In the event of a security incident involving payment data:
| Phase | Actions |
|---|---|
| Detection & containment | Investigate scope, preserve evidence, and limit further exposure in coordination with infrastructure partners. |
| Customer notification | Notify affected customers and regulators as required by law and contractual commitments. |
Ongoing Compliance Monitoring
- Continuous monitoring of platform health, security signals, and provider attestations
- Periodic review of configuration guidance for PCI, HIPAA, and related modes
- Updates to subprocessors and documentation as our stack evolves
Plan Availability
| Plan tier | PCI flag | Notes |
|---|---|---|
| Pro / Elevate | Not available | Upgrade for payments-sensitive voice flows requiring PCI mode. |
| Premium | Available | Requires compliant collection method and artifact suppression. |
| Enterprise | Available | Custom configuration and documentation on request. |
Contact
For questions about PCI DSS compliance, to request compliance documentation, or to discuss PCI configuration for your deployment:
Email: security@chatley.ai
Chatley AI, Inc. 252 NW 29th St Miami, FL 33127
Important: PCI compliance requires all three layers — the PCI flag, a compliant collection method (DTMF or SMS payment link), and artifact suppression. Asking callers to speak their card number is not compliant under any configuration. If you are unsure whether your payment collection workflow is PCI-compliant, consult your payment security advisor before deploying.