PCI DSS Level 1 Service Provider

Contact centre PCI compliance, without the headache

Run a contact centre that takes card payments and you can end up spending more time arguing with auditors than serving customers. We take card data out of your environment entirely — out of the agent's headset, out of the call recording, out of your network — so PCI compliance stops being a year-round project.
Book a demoBook a demoTalk to us

At a glance

Paytia for contact centres

What it does
We sit between your customer and your telephony stack and intercept the card-entry tones before they reach anything you own. Your agent stays on the line and can talk the customer through any errors — they just never hear the number.
Who we work with
UK and US contact centres, from ten-seat fundraising teams to multi-thousand-agent operations. Inbound, outbound, IVR overflow and out-of-hours self-service all covered.
Certifications
PCI DSS Level 1 service provider (audited annually by a QSA), Cyber Essentials Plus, GDPR-aligned, and recordings compliant with FCA, MiFID II and Ofcom rules.
How we deploy
Two models — DTMF Suppression keeps the agent on the line. Channel Separation steps the agent off while the customer pays, then brings them back. Pick what fits your call type.
What it plugs into
Genesys, Five9, Amazon Connect, NICE CXone, 8x8, Avaya and Talkdesk. SIP-layer integration, so it doesn't care what your agent desktop looks like.
Typical timeline
First live call inside a week of contract. No on-prem changes, no new hardware on your side.
Book a demoCompare deployment models

The Friday-afternoon problem

Picture your inbound queue at peak — 200 agents on call, every other conversation ending with “OK, what's the long number across the front of the card?”That's the moment your PCI scope balloons. Every workstation that hears the digits, every recording that captures them, every backup that stores them — all of it falls under the 329 controls of SAQ D, audited every year, with a QSA in the building.

The usual workarounds make things worse, not better. Pause-and-resume scripts depend on agents remembering, every time, under pressure. Workstation-level masking keeps the tones on the line all the way to the desktop, which keeps your telephony stack in scope. Sending the customer to a payment portal mid-call kills conversion and irritates the people you're trying to help.

The cleanest fix is to stop handling card data at all. That's what we do.

How it actually works

When a customer needs to pay, your agent clicks a button in their browser. We prompt the customer to enter their card details on their own phone keypad. Those keypresses are intercepted by us before they reach your telephony stack — the tones never arrive at your SBC, your recorder, or your agent's headset. The agent stays on the line throughout and can talk the customer through whatever goes wrong. They just can't hear or see the card number.

Because the card data is redirected into our PCI DSS Level 1 environment before it touches anything you own, your contact centre falls out of most of the PCI scope that used to apply. No pausing and resuming recordings. No segmenting workstations. No retraining new agents on payment-security scripts, because they never handle payments in the first place.

The integration sits at the SIP/media layer, not the agent desktop, so it works the same whether you're on Genesys, Five9, Amazon Connect, NICE CXone, 8x8, Avaya or Talkdesk. Most rollouts are taking live calls inside a week. If you want the plain-English version of what PCI actually requires of a contact centre in 2026, read our guide to PCI compliance and call recording.

“I wanted something as simple to set up as a virtual terminal or a point-of-sale card reader — but with the flexibility to adapt as our needs grow. Paytia has achieved precisely that.”
Alison Wade · Head of Income and Performance, Pinnacle Group Read the case study →

Two ways we do this

Same outcome — card data never enters your contact centre — but different shapes for different call types. Most clients use both.

DTMF Suppression

Agent stays on the line

The customer keys in their card number while still talking to your agent. We replace the keypress tones with flat audio in real time, so the agent hears nothing identifiable. The conversation never breaks — useful for upsells, cross-sells, and any payment that benefits from agent presence.

Best for: high-value sales, complex bookings, situations where the agent needs to talk the customer through the keypad.

How DTMF Suppression works →

Channel Separation

Agent steps off during capture

The agent moves the customer onto a private payment channel for the seconds it takes to enter their card, then picks up where they left off. The recording for that segment is silent on the agent side — there's literally nothing to mask.

Best for: contact centres that already use a transfer/conference flow, situations where agents prefer not to be on the line during capture at all.

How Channel Separation works →

Not sure which fits? Compare them side by side, or book 15 minutes with usand we'll work it out together.

What changes for your PCI audit

The numbers tell most of the story. SAQ D — what most contact centres get hit with today — is 329 controls covering everything that touches card data. Annual QSA assessment, network segmentation reviews, quarterly vulnerability scans, the lot. Audit costs that comfortably run into five figures, sometimes six for larger operations.

SAQ A is 22 controls. It only covers merchant-side e-commerce, because for a contact centre using us, card data never goes anywhere that needs the rest. Most clients see their annual audit effort drop by an order of magnitude in the first year — and stay there.

You still need to do the audit — we can't take that off your plate entirely. What we can do is make it short, predictable, and the same every year. The QSA looks at the boundary between your environment and ours, confirms card data crosses it cleanly, and signs off. We've been through it ourselves nine times running, so we know what they ask for and can hand you the evidence pack.

Group of contact centre agents wearing headsets working at desks in a bright modern office

What we plug into

SIP-layer integration. Your agent desktop doesn't change, your routing doesn't change, your recording platform doesn't change.

  • Genesys (Cloud CX and PureConnect)
  • Five9
  • Amazon Connect
  • NICE CXone
  • 8x8
  • Avaya (Aura and Experience Platform)
  • Talkdesk
  • On-premise SBC / SIP trunk setups

Certifications that matter

The card schemes require Level 1 for any service provider handling more than 300,000 transactions a year. We've held it since 2016.

PCI DSS Level 1 Service Provider certification badge

PCI DSS Level 1 Service Provider

Cyber Essentials Plus · GDPR-aligned · FCA, MiFID II and Ofcom call-recording rules

Featured contact centre partner

PCI-compliant payments for ContactOne contact centres

We integrate with ContactOne to deliver DTMF-masked secure phone payments alongside ContactOne's omnichannel routing, call recording and 100+ agent deployments.

Learn about ContactOne + Paytia →

Frequently asked questions

How does DTMF masking actually work on an agent call?

+

When the customer keys in their card number, we intercept the DTMF tones before they reach your SBC, your call recording platform, or the agent's headset. The agent hears flat audio, and the digits are routed straight into our PCI DSS Level 1 environment. The agent stays on the line throughout — they can talk the customer through any errors, just without ever hearing or seeing card data. See DTMF masking for the technical detail.

Do we have to change our call recording setup?

+

No. Your existing recording platform keeps recording 100% of every call. Because the card-number tones are stripped before they reach the recorder, the resulting recordings are PCI-clean by default — no pause/resume scripts, no manual redaction, no risk of an agent forgetting to hit pause. That's the whole point of doing it at the network layer rather than at the workstation. See how the call flow works end-to-end.

What happens if the agent disconnects mid-payment?

+

The customer's card-entry session is held independently of the agent's line, so a dropped agent call doesn't kill the payment. If the disconnect happens before the customer finishes keying in, the session is cancelled and no charge is processed. If the agent drops after authorisation, the payment still completes and the customer hears verbal confirmation from the system. Reconciliation is straightforward in either case. Talk to us if you want to walk through your specific failure scenarios.

Does Paytia work with Genesys, Avaya, Five9, NICE and 8x8?

+

Yes — we've deployed against all the main CCaaS platforms including Genesys, Avaya, Five9, NICE CXone, 8x8, Amazon Connect, and Talkdesk. The integration sits at the SIP/media layer, so it doesn't care what your agent desktop looks like. Most rollouts go live within a week with no infrastructure changes on your side. See the telephone payments overview for what deployment looks like.

How much does this actually reduce our PCI SAQ scope?

+

For most contact centres, the move is from SAQ D (329 controls covering everything that touches card data) to SAQ A (22 controls covering merchant-side e-commerce only). That's because card data never reaches your agent workstations, your recording platform, or your network — it's redirected to our certified environment before any of your kit sees it. The annual audit cost typically drops by an order of magnitude. See PCI DSS scope explained for the framework detail.

How does Paytia compare to other contact centre payment vendors?

+

Three things to look at when you're weighing options. First, where the interception happens — anything that masks card data at the agent workstation leaves the tones on the line until they hit the desktop, which keeps your telephony stack in scope. We intercept at the SIP/media layer, so the tones never reach anything you own. Second, the certification level — "PCI compliant" can mean a self-assessed merchant tier; we're a fully audited PCI DSS Level 1 service provider, the same tier the card schemes themselves require. Third, what changes for your team — most alternatives need new desktop software, agent training, or pause/resume scripts. We don't. Agents carry on with the platform they already use.

Is Paytia right for smaller contact centres, or only for enterprise?

+

Both. Our clients range from ten-seat fundraising teams (Trinity Hall College, Cambridge) through mid-market housing and training operations (Pinnacle Group, CITB) to multinational enterprise (British American Tobacco). Per-agent pricing scales down for small teams without losing the PCI DSS Level 1 protection — there's no "enterprise tier" needed to get the proper certification. Smaller contact centres often see the biggest proportional saving because they were paying for SAQ D audits that were never going to fit their headcount sensibly.

Used by British American Tobacco · Howard Kennedy · CITB · Clinical Partners · Trinity Hall College

Since 2016

Building secure payments

PCI DSS Level 1

Highest certification

99.99%

Platform uptime

£400M+

Transactions processed

Take card data out of your contact centre

Fifteen minutes with us, then a week to live calls. See what your contact centre looks like with card data out of the picture.

Book a demoTalk to us