Here's how most call centres still take card payments today: the customer reads their long card number, expiry, and CVV aloud. The agent types the digits into a browser tab or a CRM payment field. The whole exchange sits on the call recording. Sometimes a supervisor mutes the recording while the digits are spoken — sometimes they don't. Either way, those digits travelled across your network, sat in agent memory, and existed in your recording archive for the retention window.
That setup is a full SAQ D environment. The CDE includes the agent desktop, the network segment they sit on, the CRM, the recording platform, the backup tier, and every system that touches any of those. 329 controls, quarterly ASV scans, segmentation testing, and an annual ROC if you process more than 6M transactions a year. The agents themselves are the soft spot — under the PCI rules, anyone who can see or hear a PAN is a vector.
Our job is to make sure the agent never sees or hears the card, the recording never captures it, and your network never touches it. Once that's true, the entire CDE shrinks to the link between Paytia and your gateway. You drop to SAQ A — 22 controls — and most of your security audit goes away.
Different flows suit different operations. We deploy whichever one fits the call type, and most customers run two or three of them side by side.
The customer types their card into their phone keypad. We replace the tones with a flat sound in real time, before they reach your agent or the recording. The agent stays on the line throughout — they can talk the customer through the capture, answer questions, and pick up the conversation as soon as the payment authorises.
Best for: high-touch service calls, retention, upsell, anywhere you don't want the conversation to break.
The agent's audio path is briefly handed off to a Paytia voice prompt for the card digits, then handed back. The customer keys their card while a recorded voice walks them through it. The agent comes back on the line for the authorisation result and the rest of the call.
Best for: scripted flows, high-volume bill payments, where a predictable capture experience matters more than continuous conversation.
The agent sends the customer a one-time secure link by SMS or email. The customer pays on the link in their own time, on their own device. Useful when the customer doesn't have their card to hand, or wants to call back later.
Best for: callbacks, follow-ups, customers who prefer to pay later, and any call where the natural conclusion is "I'll do it when I get home".
The numbers most people quote are right: SAQ D has around 329 controls, SAQ A has 22. But the controls themselves are the easy part. The real saving is what falls out of scope when the card data isn't on your network in the first place.
Your CRM stops being part of the CDE. Your call recording stack stops being part of the CDE. Your agent desktop, your network segmentation, your firewall ruleset, your DLP policy, your privileged access management for the segment, your annual penetration test scope, your quarterly ASV scans, your background-check policy for agents, your screen-recording retention — all of that either falls out of PCI scope entirely or gets dramatically narrower. The audit goes from "lift every floorboard in the building" to "show us how the link from Paytia to your gateway is configured".
We also handle PCI DSS v4.0.1. The March 2025 deadline has passed — v3.2.1 is retired. If your QSA is still working from a v3.2.1 RoC template, get it refreshed. The new requirements around scripts on payment pages (6.4.3, 11.6.1) and continuous monitoring change the maths on what stays in scope. Our glossary entry on PCI DSS walks through what changed in v4 and why.
We're not a transformation programme. Most customers are taking live PCI-compliant payments inside a working week. Integration is via REST API or SIP — whichever the phone system speaks. No physical kit on your floor, no per-seat licensing of hardware, no agent retraining beyond "press this key when the customer's ready to pay".
Genesys, Five9, NICE CXone, Talkdesk, Amazon Connect, 8x8, RingCentral, Avaya, 3CX, plain SIP — we sit alongside all of them. Our contact centre integration guide walks through the typical setup. We don't rip out your CCaaS or compete with it. We just take the bit of the call you'd rather not be on the recording.
We're PCI DSS Level 1 — the highest assurance tier, audited annually by a QSA. That's what lets us take the card data off your stack. We hold the controls so you don't have to. The QSA's AoC is available on request when a procurement team needs it.
Per-seat licensing punishes you for headcount growth and idle seats. We charge per payment capture, so the bill tracks the work you actually do. A 50-seat team taking 200 payments a day pays less than a 50-seat team taking 2,000. Talk to us about a volume estimate and we'll come back with a number — we don't list pricing publicly because the right rate depends on call mix.
Three things sit at the heart of it. Card data can't be heard by agents, can't sit in your call recording, and can't traverse your network in clear text. If any of those three are true on a single call, you're inside the Cardholder Data Environment (CDE) and you're on the SAQ D path — 329 controls, segmented network, quarterly ASV scans, the lot. We move card capture off your infrastructure so none of those three is true. Most of our customers drop from SAQ D to SAQ A inside a week.
No. We sit alongside whatever you've got — Genesys, Five9, NICE CXone, Talkdesk, Amazon Connect, 8x8, RingCentral, 3CX, a SIP trunk, or a traditional PBX. The agent picks up calls the same way they do today. When it's time to take a payment, they press a key or click a button in the agent desktop, and the capture happens on Paytia's PCI Level 1 platform. The agent stays on the line. No rip-and-replace, no per-seat hardware.
With DTMF masking, yes — the conversation continues normally and only the keypad tones are suppressed. The agent hears the customer's voice, can answer questions, and picks the call back up the moment the payment authorises. With channel separation, the audio path is briefly handed off to a secure voice prompt for the card digits, then handed back. We default most customers to DTMF masking because it keeps the call conversational. Pick whichever fits the flow.
Card data never enters the recording at all. Because we strip the DTMF tones before they hit the recording layer, you don't need pause-and-resume, you don't need post-call redaction, and you don't need a separate retention policy for payment calls. Your existing recording stack — Verint, NICE, Calabrio, whatever — keeps recording as normal. There just isn't any card data in the audio to begin with.
Most rollouts are live in 3–10 working days. The longest bit is usually your side — sandbox merchant on the gateway, agent UAT, and an internal sign-off. Paytia's side is API or SIP integration plus a config session. We've gone from contract signature to live capture inside 48 hours when the gateway and the merchant account were already in place.
Stripe (we're a Stripe Partner), Worldpay, Adyen, Opayo, Trust Payments, Barclaycard, and most major UK/EU acquirers via API. If your gateway isn't on that list, ask us — we add new ones regularly. The card data goes from the customer's handset straight to the gateway through Paytia. It doesn't sit on your network or ours.
Yes. Same flow — agent dials out, has the conversation, presses a key to start a payment capture, the customer keys their card on their handset, agent stays on the line. We see it used heavily for collections, renewals, fundraising, and outbound sales where reading the card aloud would be a no-go on PCI grounds.
Book a 20-minute demo. We'll show you DTMF masking on a live call, walk through what SAQ A looks like for your setup, and quote based on your call mix.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia