# 13337: Gather: callback must be over HTTPS when using gather with PCI compliance

Log Type: APPLICATION

Log Level: ERROR

## Description

This error occurs when a `<Gather>` `action` callback used in a PCI workflow is not served over `https://`. Twilio requires a secure webhook endpoint for this flow, and Twilio won't connect to an HTTPS URL with a self-signed certificate.

### Possible causes

* The `<Gather>` `action` URL uses `http://` instead of `https://`.
* The callback endpoint uses an HTTPS certificate that Twilio cannot trust, such as a self-signed certificate.

### Possible solutions

* Update the `<Gather>` `action` URL to use `https://` and make sure the URL is valid.
* Use a trusted TLS certificate on the callback endpoint. Do not use a self-signed certificate.
* If you are collecting PCI-sensitive data, enable PCI Mode for the account in Voice settings before using PCI workflows.

#### Additional resources

* [TwiML Voice: `<Gather>`](/docs/voice/twiml/gather)
* [Payment Card Industry Programmable Voice workflows](/docs/voice/pci-workflows)
* [Webhooks security](/docs/usage/webhooks/webhooks-security)