Common Services Layer (CSL) in Payments | Paytia

A Common Services Layer (CSL) is a shared middleware tier that sits between front-line systems (contact centre apps, CRMs, IVRs) and the payment gateway, so card data is handled in one PCI-scoped place rather than scattered across every connected app.

A Common Services Layer, usually shortened to CSL, is a shared middleware tier that sits between the apps your agents use (CRM, contact centre platform, IVR, web forms) and the payment gateway or acquirer behind them. Instead of every front-line system holding its own gateway integration and touching cardholder data directly, they all call into one CSL, and the CSL does the regulated work.

If you've seen the term in an RFP or an architecture deck and weren't sure what it actually does, the short answer is: it's the bit that makes PCI scope a building, not a campus.

What a Common Services Layer actually does

At its simplest, a CSL is a payment abstraction. The front-line app says "take £42.50 from this customer against order 1183" and the CSL handles everything that follows:

  • Capturing or receiving the card details (DTMF, hosted field, tokenised reference)
  • Validating the card against the issuer
  • Routing to the right acquirer or gateway based on currency, scheme, or merchant ID
  • Returning a token or a transaction reference back to the calling system
  • Storing the audit trail for reconciliation and dispute handling

The CRM or contact centre app never sees the PAN. It sees a reference. That's the whole trick.

Why it exists: PCI scope

PCI DSS scope is defined by what touches cardholder data. If your CRM stores it, your CRM is in scope. If your contact centre platform records calls that contain it, the recordings are in scope. If your IVR captures it, the IVR is in scope. Scope is contagious.

A CSL stops the contagion. Card data lands in the CSL and only the CSL, which is then the one thing you have to assess against PCI DSS. Everything upstream of it becomes out-of-scope or only minimally in scope (CDE-connected systems), and your annual SAQ shrinks accordingly.

That's the architectural reason CSLs exist. The business reason is cost: every system in PCI scope needs hardening, logging, quarterly scans, change control, and an annual audit. Cutting twenty systems down to one is the difference between an affordable compliance programme and a strategic problem.

How a CSL fits a typical contact centre

Picture a payment call going through a contact centre that uses a CSL:

  1. Customer rings in and reaches an agent through the contact centre platform.
  2. Agent identifies the customer in the CRM and gets to a payment step.
  3. The CRM (or a button in the agent desktop) calls the CSL with an order amount and reference.
  4. The CSL initiates a secure capture flow: DTMF masking, a hosted page, or a tokenised pay-by-link. The agent stays on the line but never hears or sees the digits.
  5. The CSL talks to the gateway, gets the authorisation, and returns a success token to the CRM.
  6. The CRM updates the order. The contact centre platform records the call without the card-entry segment (because it was muted, or because the audio was diverted).

At no point does the card number live anywhere except inside the CSL and the gateway. The agent's screen, the CRM database, the call recording — all clean.

What's inside a CSL

Implementations vary, but most CSLs include some combination of:

  • Capture services: the bits that actually receive card data — DTMF interceptors, hosted-field iframes, pay-by-link generators, mail order forms.
  • Tokenisation: swapping the PAN for a token that downstream systems can safely store and reuse. See network tokenisation for the scheme-level version.
  • Gateway routing: a single integration point that maps onwards to multiple acquirers, gateways, or alternative payment methods.
  • 3D Secure handling: stepping through 3DS2 challenges where required and returning the authentication result.
  • Vaulting: a secure store for card-on-file scenarios — subscription renewals, repeat orders, deposit returns.
  • Reporting and reconciliation: the transaction log that finance teams need.

CSL vs payment gateway: not the same thing

People sometimes use "CSL" and "payment gateway" interchangeably. They're not the same.

A gateway is a single endpoint that talks to one acquirer (or one set of acquirers) and processes one transaction at a time. It's a plumbing component.

A CSL is a layer above that. It can talk to multiple gateways, multiple capture mechanisms, and multiple front-line apps. It's the part of the architecture that decides how a payment is captured, where it gets routed, and who gets to call it. If you removed the CSL, you'd have a gateway and a pile of bespoke integrations. With it, you have one integration that every system can share.

Common CSL patterns in the wild

Three setups come up again and again:

Single-tenant CSL inside the merchant

A large merchant builds their own CSL as a microservice or platform team. Every internal app — CRM, billing, web, contact centre — calls into it. Common with enterprises that have the engineering resource and want full control.

Vendor-hosted CSL

The merchant buys a CSL as a service. The vendor runs it under their PCI Level 1 attestation, and the merchant integrates once. This is the model used by most secure payment vendors (Paytia included — our DTMF-masked capture and tokenisation service is, functionally, a CSL for contact centres).

Hybrid CSL via a CCaaS partner

The contact centre platform vendor (Genesys, Five9, Amazon Connect, etc.) provides hooks into a partner-run CSL. The CCaaS handles voice and agent UX; the CSL handles the regulated payment moment.

Things to watch for when scoping a CSL

If you're evaluating a CSL — building or buying — a few questions will save you grief:

  • Where exactly does PCI scope start and stop? Get the vendor to draw the line on a diagram. "It's all out of scope" isn't an answer.
  • What happens to call recordings? A CSL that captures DTMF without muting the recorder doesn't reduce scope — it just shifts the problem.
  • Tokens: vendor or network? Vendor tokens lock you in. Network tokens (Visa, Mastercard) follow the card across vendors.
  • What's the failure mode? If the CSL is down, does the agent go to paper and re-enter later (back in scope), or does the system gracefully queue?
  • How does it handle MOTO, e-com, and recurring side-by-side? A CSL that only handles one channel forces you to maintain another integration for the others.

Where the term comes from

"Common Services Layer" started life in enterprise SOA architecture in the 2000s — any shared services tier that multiple front-end apps could call. The payments industry picked it up because the architectural pattern fitted the PCI-scope problem so cleanly. These days, if someone says CSL in a payments context, they almost always mean a payment-services middleware layer specifically.

Related ideas worth knowing

A CSL doesn't exist alone. It's usually part of a wider scope-reduction architecture that includes DTMF masking, tokenisation, hosted payment pages, and pause-and-resume call recording. Each of those is a tactic; the CSL is the framework they fit into.

How Paytia Uses This
Paytia is effectively a Common Services Layer for contact centres. When an agent triggers a payment from their CRM or contact centre app, the customer's card details are captured via our DTMF-masked secure pay capture, routed through our PCI Level 1 attested infrastructure, and returned to the calling system as a transaction reference or token. The CRM, the contact centre platform, and the call recording stay out of PCI scope. You integrate once with our API; we handle the capture, the gateway routing, and the audit trail. That's the practical version of what "CSL" describes architecturally.
PCI DSSDTMF maskingtokenisation

Frequently Asked Questions

Is a CSL the same as a payment gateway?

No. A gateway processes a single transaction against one acquirer. A CSL is the layer above — it decides how the card is captured, which gateway to use, and provides one shared integration point that every front-line app can call. You can have a CSL that talks to multiple gateways underneath it.

Does using a CSL automatically make my contact centre PCI compliant?

It reduces scope, which makes compliance achievable. Whether you're actually compliant still depends on how the rest of the environment is configured — call recording, network segmentation, agent workstation policy. A CSL handles the cardholder data piece; you still have to handle the connected systems.

Can I build my own CSL or do I need to buy one?

You can build one if you've got the engineering team and want to carry your own PCI Level 1 obligations. Most merchants buy because the audit and infrastructure costs outweigh the cost of a vendor. The architectural pattern is the same either way.

Does a CSL work with cloud contact centres like Genesys or Amazon Connect?

Yes — that's actually the most common deployment now. The CCaaS platform handles voice and agent UX, and the CSL is bolted on for the payment moment via SIP integration, API hooks, or an agent-side widget. The recording either pauses or the DTMF tones are masked at source.

What's the difference between a CSL and a payment orchestration platform?

There's overlap. Payment orchestration usually focuses on routing transactions across multiple acquirers for cost or success-rate optimisation. A CSL focuses on being the shared, in-scope integration point. Many CSLs do orchestration; not all orchestration platforms reduce PCI scope the way a CSL does.

Related Terms

PCI DSSDTMF MaskingTokenization3D Secure / SCANetwork Token

See how Paytia handles common services layer (csl)

Book a personalised demo and we'll show you how our platform works with your setup.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoContact us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia