What are MOTO Payments?

What MOTO Payments Are

MOTO stands for Mail Order / Telephone Order. It refers to any card payment where the customer provides their card details remotely -- either by post (mail order) or over the phone (telephone order) -- rather than presenting their physical card at a terminal. MOTO is one of the oldest forms of remote payment, predating online shopping by decades.

In a MOTO transaction, the merchant collects the customer's card number, expiry date, and usually the card security code (CVV/CVC), then processes the payment through a virtual terminal or payment system. Because the card is not physically present, MOTO transactions are classified as card-not-present (CNP) payments.

How MOTO Payments Work

The typical flow of a MOTO payment looks like this.

• The customer contacts the merchant by phone or sends an order form by post
• The customer provides their card details -- card number, expiry date, and security code
• The merchant enters the card details into a virtual terminal, payment system, or order processing software
• The payment system sends the details to the payment gateway, which routes them to the acquiring bank and then the card-issuing bank for authorisation
• The issuing bank approves or declines the transaction and sends the response back through the chain
• The merchant confirms the outcome to the customer

The whole process typically takes a few seconds for telephone orders. Mail orders take longer because of the postal delay, but the payment processing itself is just as fast once the details are keyed in.

Who Uses MOTO Payments

MOTO payments remain widespread across many industries, particularly where customers need or prefer to pay over the phone rather than online.

• Call centres and contact centres The largest users of MOTO payments, processing everything from insurance premiums to utility bills, subscription renewals to one-off purchases
• Catalogue and mail order retailers Traditional retailers who take orders by post or phone continue to rely on MOTO processing
• Professional services Solicitors, accountants, medical practitioners, and consultants who take payment over the phone after delivering their services
• Local government Councils processing council tax payments, parking fines, and other charges by phone
• Charities Donation processing over the phone, particularly during fundraising campaigns and telethons
• Travel and hospitality Hotels, travel agents, and event organisers taking bookings and deposits over the phone
• B2B suppliers Business customers who prefer to pay invoices by phone rather than setting up online payment portals

MOTO Payments and Fraud Risk

Because the card is not physically present during a MOTO transaction, these payments carry higher fraud risk than chip-and-PIN transactions. The merchant cannot verify the card's chip, check a signature, or confirm a PIN. The main verification tools available are the card security code (which provides some assurance that the person has the physical card) and address verification (AVS), which checks whether the billing address matches the issuer's records.

MOTO transactions are also exempt from Strong Customer Authentication (SCA) requirements under PSD2 because the regulation specifically excludes mail order and telephone order payments. While this simplifies the payment process, it means MOTO transactions lack the additional authentication layer that protects online payments through 3D Secure.

Fraud liability for MOTO transactions typically sits with the merchant. If a fraudulent payment is made and the cardholder raises a chargeback, the merchant usually bears the cost. This makes it particularly important for businesses to implement solid fraud prevention measures for their MOTO payment channels.

The PCI DSS Challenge with MOTO

MOTO payments create significant PCI DSS compliance challenges, particularly for telephone orders. When a customer reads their card number to an agent, the card data travels through multiple systems -- the phone line, the agent's ears, the agent's screen, the keyboard, the workstation operating system, the local network, and potentially the call recording system. Every one of these touchpoints falls within PCI DSS scope.

For many organisations, this means facing SAQ C-VT or the more demanding SAQ D, which can involve hundreds of individual security controls. Securing all of these systems is expensive, time-consuming, and requires ongoing maintenance and monitoring.

Securing MOTO Payments

Several approaches can help businesses reduce the risk and compliance burden associated with MOTO payments.

DTMF Masking

For telephone orders, DTMF masking technology allows customers to enter their card details on their phone keypad instead of speaking them aloud. The tones are masked or suppressed before reaching the agent, and the card data is routed directly to the payment processor. This removes the entire agent environment from PCI DSS scope.

Pay by Link

Instead of taking card details over the phone, the agent sends the customer a secure payment link during the call. The customer enters their card details on a hosted payment page, and the card data never enters the merchant's systems. This effectively converts a MOTO transaction into an e-commerce transaction with all the security benefits that come with it.

Tokenization

For businesses that process repeat MOTO payments for the same customers, tokenization replaces stored card numbers with non-sensitive tokens. The real card details are held securely by the token service provider, and the merchant uses the token for subsequent transactions.

MOTO vs CNP vs E-commerce

All MOTO payments are card-not-present (CNP) transactions, but not all CNP transactions are MOTO. E-commerce payments are also CNP, but they have access to additional security mechanisms like 3D Secure that are not available for MOTO. The key distinction is the channel: MOTO covers mail and telephone, while e-commerce covers online. Each channel has different fraud profiles, different compliance requirements, and different liability rules.

Understanding these distinctions matters when choosing your payment infrastructure and assessing your PCI DSS obligations. The SAQ type, fraud prevention tools, and security architecture you need will differ depending on which CNP channels you operate.