IVR SAQ Guide

This guide is for merchants and integrators using CityPay-hosted IVR payment capture, where cardholder data is captured inside CityPay's cardholder data environment.

IVR SAQ eligibility depends on the call flow, whether staff can hear or access cardholder data, whether calls are recorded, and whether any merchant system stores, processes or transmits PAN or sensitive authentication data.

Part 2a - Merchant business payment channels

Tick the channels that apply:

Mail Order/Telephone Order

If the IVR is used in another card-not-present channel, describe that channel clearly.

Part 2b - Description of role with payment cards

The merchant accepts card-not-present transactions using CityPay-hosted IVR payment capture. Cardholder data is entered by the customer or captured through the CityPay IVR service within CityPay's cardholder data environment. Merchant staff and merchant systems do not electronically store, process or transmit PAN or sensitive authentication data for this IVR payment capture flow. Payment processing, authorisation and handling of account data are outsourced to CityPay Limited.

If staff can hear, view, write down or otherwise handle PAN, adjust the wording and reassess scope.

Part 2c - Description of payment card environment

The assessed environment consists of the merchant call-handling process, telephony routing to CityPay-hosted IVR, staff procedures, any call recording controls, and administrative systems that initiate or reconcile IVR payments. Cardholder data capture occurs inside CityPay's hosted IVR environment. Merchant systems do not electronically store PAN or sensitive authentication data for this payment channel.

Part 2f - Third-party service providers

Also list telephony providers, call recording providers, contact-centre platforms or outsourced call-centre providers if they can affect the IVR payment flow.

Eligibility notes

Confirm:

• PAN and sensitive authentication data are captured through CityPay-hosted IVR
• merchant staff cannot hear, view or retrieve full PAN or sensitive authentication data during IVR capture
• call recordings do not contain PAN or sensitive authentication data
• merchant systems do not electronically store, process or transmit account data for this channel
• CityPay's PCI DSS compliance has been confirmed for the IVR service used

Telephony and call recording

Document how calls are routed to CityPay-hosted IVR and how recordings are controlled. Evidence should show that recordings do not contain PAN or sensitive authentication data, or that any recordings containing account data are handled within the applicable PCI DSS scope.

Staff procedures

Evidence should show that staff direct customers into the IVR flow and do not request, repeat, write down or enter PAN outside the approved process.

Access control

Applies to systems that can initiate, manage, reconcile or affect IVR payments. Evidence should include unique user IDs, least privilege, leaver access removal and periodic access review.

TPSP management and incident response

Maintain a TPSP list including CityPay Limited, written agreement or terms with CityPay, evidence of CityPay PCI DSS compliance for IVR, annual TPSP review, and an incident response plan that includes CityPay, acquirer and payment-brand escalation.

Retain:

• CityPay AOC or PCI DSS compliance confirmation
• IVR call-flow description
• telephony routing evidence
• call recording policy and evidence that recordings exclude account data
• staff procedures and training records
• access controls for IVR administration or reconciliation systems
• TPSP list and annual review
• incident response plan
• Appendix C explanations for Not Applicable requirements