What counts as a card-not-present transaction in the UK?

Any payment where the physical card isn't presented at the point of sale. That covers online checkouts, MOTO (mail order / telephone order) payments handled by your contact centre, payment links sent via SMS or web chat, IVR self-service, and recurring charges against a stored card on file. The unifying point is that you're relying on data — PAN, expiry, CVV, sometimes 3DS2 authentication — rather than the physical card. UK Finance reports CNP fraud is now the largest single category of card fraud losses in the UK, so the regulatory and commercial attention is real.

Who's liable when a CNP transaction turns out to be fraudulent?

In nearly every case, the merchant. That's the headline difference between CNP and card-present chargebacks. If the customer's bank rules in the cardholder's favour, the funds get pulled back out of your account and you pay a chargeback fee on top. The one big exception is when you authenticated the payment with 3D Secure 2 (3DS2) and the issuing bank approved it — that triggers a liability shift back to the issuer for fraud-related chargebacks. Friendly fraud and goods-not-received disputes stay with you regardless.

Does PCI DSS v4.0.1 apply to phone payments, not just our website?

Yes. PCI DSS v4.0.1 applies anywhere cardholder data is processed, stored, or transmitted. If your agents hear card numbers read out loud, your call recordings capture them, or your CRM stores them — all of that is in scope. The standard doesn't care about the channel; it cares about the data. The fastest way to reduce that burden is to use a channel-separated capture model so the cardholder data never enters your environment in the first place. Then most of your contact centre infrastructure drops out of scope entirely.

What's the difference between pause-and-resume recording and proper DTMF masking?

Pause-and-resume tells your call recorder to stop capturing while card details are read aloud. The agent still hears every digit and the recording has a gap. Anyone with a £20 DTMF decoder could still pull the digits off the line if they were listening. Proper DTMF masking (or channel-separated capture) splits the audio path so the agent and the recorder both hear a flat tone, and the digits travel down a separate path direct to the payment processor. Only the second approach genuinely removes cardholder data from your environment.

How much can a channel-separation platform realistically reduce our PCI scope?

For a contact centre that switches from agents typing in PANs to channel-separated capture, the scope reduction is usually 80–95%. You'll typically move from SAQ D-Merchant (the heavy one with around 300 questions) down to SAQ A-EP or SAQ A, depending on how your e-commerce setup is built. Agent workstations come out of scope, call recordings come out of scope, and most of your internal network drops out too. You'll still need to maintain the SAQ annually, but the audit becomes a fraction of the work and cost.

Are payment links safe for taking CNP payments via SMS or web chat?

Yes, if the link is generated by a PCI-compliant payment provider and points to a hosted payment page. The customer clicks through, lands on a page that's part of the provider's PCI environment, and enters their details there. Your chat log, SMS thread, and CRM never hold a card number. The thing to check is that the link is single-use, time-limited, and tied to a specific transaction — not a generic URL that anyone could use to charge any amount. Our guide on whether payment links are safe goes into more detail.

Do we still need 3D Secure 2 if we're using a secure phone payment platform?

Different controls, different jobs. 3DS2 authenticates the cardholder for online (e-commerce) transactions and triggers the SCA liability shift under PSD2. A secure phone payment platform handles MOTO transactions, which are exempt from SCA in most cases because they're initiated by the merchant on a different channel. If you take both online and phone payments, you need both: 3DS2 for the website checkout, channel separation for the phone calls. They cover different transaction types and aren't substitutes for each other.

What happens to chargeback ratios if we don't fix our CNP fraud exposure?

They climb, and the card schemes notice. Visa's Dispute Monitoring Programme and Mastercard's Excessive Chargeback Programme kick in when your fraud-related chargeback ratio exceeds about 0.9–1% of transactions. Once you're in the programme, fines start at a few thousand pounds a month and escalate fast. Acquirers also increase your processing rates or, in severe cases, close the merchant account. Getting a new acquirer after a termination is hard and expensive — most won't touch a merchant with a recent CNP fraud history without a six-figure rolling reserve.

Can we take CNP payments from home-working agents safely?

Yes, but only if you remove card data from the agent's environment entirely. Traditional clean-room policies are unenforceable when an agent is working from a kitchen table — family members, smart speakers, and unlocked phones are all listening. Channel-separated capture solves this cleanly: the agent never hears the digits, never sees them on screen, and there's nothing on the home network worth intercepting. That makes home-working a viable model for contact centres handling CNP payments, which it genuinely isn't with the read-aloud method.

Card Not Present (CNP) Explained: Risks and How to Reduce

TL;DR

Card-not-present (CNP) transactions now drive about 70% of UK card-fraud losses, and the liability sits with you, not the bank. The fix isn't more agent training or pause-and-resume recording — it's keeping card data out of your environment entirely using DTMF masking, tokenisation, and a separate payment channel. Done properly, that cuts PCI scope by up to 95%.

Last updated: 29 May 2026

US reader? See the US version of this guide with US-specific compliance detail (TCPA, NYDFS, CCPA, FedNow, US PCI scope guidance).

A card-not-present (or CNP) transaction is simply any payment where you don't physically hand a card over to the merchant. Instead of the familiar swipe, chip-and-PIN, or tap, the customer provides their payment details from a distance. It's the engine behind modern e-commerce and any sale made over the phone. We've written a more tactical companion piece on card-not-present transactions: risks, rules and prevention if you want the fraud-control angle.

What Are Card Not Present Transactions?#

A person holds a phone while looking at a laptop with a login screen, displaying 'CARD NOT PRESENT' overlay.

Compare paying at a supermarket till to ordering a pizza by phone. At the till, the cashier sees your card and you enter a PIN. That's a Card Present (CP) transaction.

Read your card number out to the pizza shop and they have no physical proof you're the real cardholder. That's a card-not-present transaction.

This distinction is more than a technicality; it's a significant security problem. (For a closer look at the common fraud vectors, see securing card-not-present transactions, and for the phone-specific side we've written over the phone card payments.) The physical card isn't just a piece of plastic. Its embedded chip creates a unique, encrypted code for that single purchase, making it very difficult for fraudsters to copy. CNP payments don't have this physical safeguard. They rely only on the information printed on the card — including the 16-digit PAN, which is itself validated via the Luhn algorithm — the very details that get stolen in data breaches and phishing attacks.

Common Channels for CNP Payments

While online shopping is the most obvious example, card-not-present payments happen all the time across a few key channels. Each one has its own quirks and risks for businesses to manage.

Online E-commerce — This is the big one. Customers type their card number, expiry date, and CVV code into a website's checkout page. (For a plain-English explainer of what that three-digit code actually is, see what is the security code on a card and CVC on cards.)
Phone Orders (MOTO): Short for Mail Order/Telephone Order, this is when a customer gives their card details verbally to a contact centre agent or salesperson.
Digital Chat and Messaging — A fast-growing channel where customers pay through web chats, SMS, or social media, usually by clicking a secure payment link.
IVR and Self-Service — Automated phone systems that prompt the customer to key in card details without an agent on the line. Convenient, but you've still got to prove those tones never landed inside your network.
Recurring Billing — Anything stored on file for subscriptions, instalment plans, or top-ups. The card isn't present for any of the repeat charges, so every one of them is a CNP transaction.

Across every channel, the fundamental problem is the same: the business has to trust the person providing the details without any physical proof. This built-in vulnerability is precisely why CNP fraud makes up the lion's share of card fraud losses worldwide.

This shift from physical to digital verification completely changes the risk picture for merchants. The table below breaks down the key differences between the two transaction types.

Card Present vs Card Not Present at a Glance

Feature	Card Present (CP)	Card Not Present (CNP)
Verification Method	Physical chip, PIN, signature	Card number, expiry date, CVV
Physical Card	Required and present	Not required or present
Fraud Risk	Lower	Significantly higher
Typical Environment	Retail stores, restaurants	Online stores, contact centres
Chargeback Liability	Usually the issuing bank	Almost always the merchant
3DS / SCA Required	Not applicable	Yes for most UK/EEA online transactions

A person holds a credit card near a laptop for online shopping.

Why CNP Fraud Is a Growing Threat to Your Business#

A credit card with a red warning sign rests on a laptop keyboard, symbolizing CNP fraud risk.

The convenience of digital and remote payments is undeniable, but it's brought a serious and fast-growing danger right to the doorstep of businesses everywhere. When a transaction is card not present, the physical security checks we take for granted — like chip-and-PIN — are completely off the table. This creates a real opening for criminals.

They don't need to physically steal a card anymore. All they need is the information printed on it.

And getting that information is easy. Fraudsters buy lists of stolen card details on the dark web, often pulled from data breaches, and use phishing scams to trick people into handing over their financial details directly.

The Anatomy of a CNP Fraud Scheme

Once a fraudster gets their hands on a set of card details — the 16-digit number, expiry date, and the CVV code — they can easily pose as the genuine cardholder. Since a card not present transaction only needs this basic information for approval, a criminal can start making purchases online or over the phone with very little to stop them.

A fraudster uses stolen details to buy a few expensive, easy-to-sell laptops from your online shop. Your payment system sees nothing wrong and the transaction clears. Weeks later, the real cardholder spots the charge and reports it.

The bank then triggers a chargeback and pulls the funds straight back out of your account. You've lost the sale, the goods you shipped, and you pay a chargeback fee on top.

"In the event of Card Not Present fraud, it is the merchant who bears the financial loss. This impact can be particularly substantial for retail establishments with narrower profit margins."

It's a harsh reality. Unlike fraud with a physical card, where the bank often absorbs the loss, the liability for fraudulent CNP transactions nearly always lands on the merchant.

The Financial Impact

This isn't a small cost of doing business; it's a serious threat to your bottom line that's getting worse. As e-commerce and remote payments grow, so does CNP fraud. The financial fallout is becoming more severe, especially in digitally-focused economies.

Take the UK, for example. Card-Not-Present (CNP) fraud is now the biggest payment threat, accounting for roughly 70% of all card fraud losses. In 2024, these losses hit record highs, jumping 11% from the previous year and putting the UK at the top of the European leaderboard for CNP fraud. You can get more detail on this worrying trend from FICO's European Fraud Map analysis.

For UK merchants there's also a second cost layer that often gets missed. Every chargeback ratio above 1% can push you into the card schemes' monitoring programmes (Visa's VDMP, Mastercard's ECM), and the fines from those programmes alone can run into tens of thousands per month. Once you're flagged, your acquirer will either jack up your processing fees or terminate the merchant account — and once an acquirer terminates you, finding a replacement is hard and expensive.

More Than Just Money Is at Stake

The damage from CNP fraud goes well beyond the immediate financial loss. Every incident chips away at something far more important: your reputation and the trust your customers place in you.

Here's a look at the hidden costs that start to pile up:

Eroded Customer Trust — A customer who gets hit by fraud after buying from you will think twice before doing it again. They'll worry that their data isn't safe with you.
Operational Strain — Your team has to spend valuable time investigating and disputing chargebacks, pulling them away from serving customers.
Higher Processing Fees — Too many chargebacks will get you flagged as a high-risk business. Payment processors can then impose higher transaction fees or, in the worst-case scenario, shut down your merchant account entirely.
ICO Exposure — If stolen card details get tied back to a breach of personal data your business held, you're also looking at a Information Commissioner's Office investigation under UK GDPR, with fines of up to £17.5 million or 4% of global turnover.

Ignoring the risks of card not present fraud simply isn't an option. It's a direct attack on your revenue, your operational efficiency, and the customer relationships you've worked hard to build.

Want to see this working in your setup? Book a working-demo call — we'll wire up your actual phone system and show you a live capture.

Understanding PCI DSS Compliance in CNP Environments#

When your business starts accepting card not present payments, you're stepping into a world governed by strict security rules. The big one is the Payment Card Industry Data Security Standard (PCI DSS), currently at version 4.0.1. This isn't optional; it's a mandatory set of controls for any organisation that handles, processes, or even just comes close to customer card details.

A common mistake is thinking these rules only apply to your website checkout page. In reality, PCI DSS applies everywhere sensitive payment information exists. That definitely includes your contact centre where agents take card details over the phone, and it can even cover your web chat logs if customers type their card numbers there.

PCI DSS v4.0.1 — What's Actually Changed

The current standard is v4.0.1, which replaced v3.2.1 in March 2024. All the future-dated requirements that were optional during the transition went mandatory on 31 March 2025, so as of mid-2026 every UK merchant should be assessing under v4.0.1 in full. The bits that bite hardest for CNP environments are:

Requirement 6.4.3 — You now have to inventory every script that loads on your payment page and justify each one. If your checkout pulls in third-party tags (analytics, chat widgets, A/B testing), each one is in scope.
Requirement 11.6.1 — Tamper-detection on the payment page itself. You need to be alerted if anyone modifies the headers or content of the page where card data is entered.
Requirement 8.3.6 — Stronger password rules: 12 characters minimum, with complexity, for anything in your cardholder data environment.
Customised Approach — v4.x lets you propose your own controls to meet an objective rather than ticking the prescriptive sub-requirements. Useful if you've got the security maturity to defend it; if you don't, stick to the defined approach.

Plenty of UK merchants we talk to didn't realise the deadline had passed and are still self-assessing against v3.2.1 templates. Your acquirer will catch that at next renewal — get ahead of it.

The High Cost of an Expanded Scope

The more systems, people, and processes that touch card data, the larger your security footprint, or PCI scope, becomes. Every system in scope needs controls, audits, and documentation. That's expensive.

Outdated card not present payment processes can push this scope to an unmanageable size. The moment a call centre agent hears a customer read out their card number, your entire contact centre infrastructure is instantly dragged into scope.

This means everything is now a potential risk:

Call Recordings — Those audio files now contain highly sensitive authentication data, turning them into a significant liability.
Agent Desktops — The computers your agents use are now in scope, requiring extensive security controls.
Network Infrastructure — The parts of your network carrying voice traffic fall under PCI DSS rules.
The Agents Themselves — Your own staff become part of the compliance burden, requiring specialist training and background checks.

Wider PCI scope means more systems to harden, more evidence to collect, and a longer audit. Costs scale with every endpoint that touches card data.

Compliance in a High-Scope Environment

Achieving and maintaining compliance in a high-scope environment is a constant headache. It means rigorous annual audits, penetration testing, and detailed documentation to prove that every single touchpoint is secure. Failing to comply can lead to serious penalties, including substantial fines and, in the worst cases, having your ability to process card payments revoked. The principles of securing financial data aren't unique to PCI DSS; they're foundational across many regulations. Exploring broader cybersecurity compliance frameworks like Sarbanes-Oxley (SOX) can offer useful perspective on these shared security requirements.

This is why smart businesses are flipping the script. Instead of trying to secure a sprawling, ever-expanding environment, they're focused on shrinking their PCI scope from the start. The goal is to stop sensitive card not present data from ever touching their systems in the first place. By implementing technologies that completely isolate the payment process, you effectively remove the "valuables" from most of your operational "rooms." You can learn more about this approach by exploring solutions for achieving PCI DSS compliance that cut your risk and audit burden from day one. It's a proactive strategy that not only simplifies compliance but builds a much stronger security foundation for your business.

SCA, 3D Secure 2, and the FCA Rules

On top of PCI DSS, UK e-commerce CNP transactions are also governed by Strong Customer Authentication (SCA) under the FCA's implementation of PSD2. In practice that means most online card payments need 3D Secure 2 (3DS2) authentication — a second factor, usually delivered through the customer's banking app. If you can't show that 3DS2 was completed, you're outside the liability shift and the chargeback risk goes back on you.

A few exemptions exist (low value below €30, MOTO, merchant-initiated transactions for stored credentials), but they're narrow. For most online merchants the realistic position is: assume every transaction needs SCA, build the journey around it, and only invoke an exemption when you've got the data to justify it.

A person uses a smartphone for contactless payment with a payment terminal, while receiving a shopping bag.

Key Technologies That Secure CNP Payments#

Knowing the risks of card-not-present fraud and compliance is one thing. Actually solving the problem requires specific tools.

There's a set of proven technologies designed to neutralise these risks by stopping sensitive data from ever entering your business operations in the first place. Instead of trying to build taller walls around your systems, these solutions prevent valuable data from ever getting inside.

Here's a breakdown of the core technologies that form the backbone of modern CNP payment security.

Understanding DTMF Suppression And Masking

When a customer pays over the phone, the biggest risk is an agent hearing — and your call recorder capturing — the raw card numbers. This is where DTMF suppression, often called masking, comes in. DTMF stands for Dual-Tone Multi-Frequency — the unique sounds each key on a telephone keypad makes.

Here's how it works. While the agent and customer are on the line, the customer types their card number into the keypad. All the agent hears is a flat, neutral tone. The actual DTMF tones are intercepted and sent straight to the payment processor, bypassing the agent and the call recorder.

Your call recordings stay clean of card data, and your agents never see or hear it. That cuts both internal and external fraud risk.

Worth being precise here: there are two implementations sold as "DTMF masking" and they're not equivalent. The weaker version is pause-and-resume, where your call recorder is told to stop recording during card entry and the agent stays on the line listening. The agent can still hear the tones, transcribe them with a £20 DTMF decoder, or write the digits on a sticky note. Your call recording is clean, but your agent isn't. The stronger version is true channel separation, where the audio path is genuinely split during capture — the agent hears flat tones, the call recording hears flat tones, and the digits travel down a separate path direct to the acquirer. If a vendor can't tell you which model they're using, assume it's the weaker one.

This flowchart shows exactly how handling card data directly pulls your business systems into PCI scope, driving up risk and compliance costs.

A flowchart illustrating PCI scope expansion, showing card data transmitted to business systems leads to increased scope.

The key point is simple: the moment payment data touches your environment, your compliance burden expands significantly.

The Power Of Tokenization

The other core technique is tokenization — covered in our guide to tokenization. When a customer pays for the first time, their actual card number (the PAN) goes to a secure payment vault. The vault returns a unique, non-sensitive token — a random string of characters that stands in for the card on file.

This token can be safely stored in your systems for things like recurring billing or one-click checkouts. If a data breach ever occurs, fraudsters only get the useless tokens, not the actual card numbers that can be used for fraudulent card not present transactions. The real, valuable data remains locked away.

This approach is essential for any business with repeat customers, as it secures future payments without repeatedly exposing sensitive card details. Practical example: a UK insurance broker taking monthly premium payments doesn't need to re-collect the card every month. The token sits in their CRM, the broker's staff never see a PAN, and when a renewal needs charging the token gets sent to the processor with the amount. If the broker gets breached, the attacker walks away with tokens that are useless outside the broker's own gateway account.

To help you decide which technology fits your needs, here's a quick comparison of the main security tools available for protecting CNP payments.

Comparing CNP Security Technologies

This table breaks down the core function and primary benefit of each security technology, helping you understand which solution addresses specific risks.

Technology	How It Works (Analogy)	Primary Security Benefit
DTMF Suppression	A soundproof booth for keypad tones, blocking agents and recorders from hearing sensitive numbers.	Prevents live agent exposure and keeps card data out of call recordings.
Tokenization	A valet key for payment data; a stand-in that works for specific tasks but has no real value if stolen.	Protects stored card data for recurring billing, preventing use if a database is breached.
E2EE	An armoured truck that locks the data at the customer's end and only unlocks it at the payment processor.	Secures data in transit across networks, making it unreadable to anyone in the middle.
3DS2 / SCA	A second-factor check through the customer's banking app, on top of card details.	Shifts chargeback liability to the issuing bank for fraudulent transactions on authenticated payments.
Secure Channels	A dedicated, private tunnel that bypasses your main office systems entirely for payment processing.	Removes your entire business environment from the flow of sensitive data, shrinking PCI scope.

Each of these technologies plays an important role, and the most solid security strategies often combine them to create multiple layers of defence.

Using Secure, Isolated Payment Channels

The most effective strategy brings these technologies together within a secure, isolated payment channel. This approach ensures that from the moment a customer starts to enter their details, the entire process is completely separated from your business's core infrastructure.

Whether it's over the phone, via a payment link in a web chat, or through an online portal, the customer interacts directly with a secure platform like Paytia. This platform handles the entire transaction — capturing the data, processing it with the bank, and confirming the outcome — all without the data touching your systems.

This method delivers several significant benefits:

Drastic Scope Reduction — Since your systems never store, process, or transmit cardholder data, your PCI DSS audit scope can be reduced by up to 95%.
Improved Security — By keeping card details out of your environment, you eliminate the primary target for data thieves.
Improved Trust — Customers feel more secure knowing their information isn't being read aloud or typed into insecure chat windows.

For more advanced protection, businesses are also exploring sophisticated tools outlined in this guide on AI Fraud Detection. By layering these technologies, you can build a solid defence that protects your revenue, reputation, and customer data from the persistent threat of card not present fraud.

How to Securely Handle Payments with Remote Teams#

Two call center agents in headsets processing secure remote payments on a computer, using a payment device.

For any business with remote teams, especially contact centres, taking a card not present payment can feel like walking a tightrope. The old-school methods of handling these transactions aren't just awkward; they're a genuine security gap and a compliance problem waiting to happen.

To really see why a change is needed, it helps to put the old, risky approach side-by-side with the modern, secure one. You'll quickly realise how the right technology doesn't just patch a problem — it changes your operations from high-risk to genuinely secure.

The Old Way: A Recipe for Disaster

For far too long, the standard way to take a payment over the phone has been dangerously simple. The agent asks the customer to read out their full card number, expiry date, and the three-digit code on the back. Then the agent types it all into a payment system.

This single, everyday interaction sets off a chain of security risks. Suddenly, that sensitive card data is exposed at multiple points inside your organisation.

The Agent — Your employee has just seen and heard everything needed to commit fraud. This creates an immediate risk, whether intentional or accidental.
Call Recordings — Most contact centres record calls for training and quality. But this means you're now storing card data in your audio files, a direct violation of PCI DSS rules.
Agent Desktops — The data literally travels through the agent's computer, pulling their hardware, software, and even the local network into the scope of a PCI audit.

To manage this risk, businesses have had to resort to costly and awkward workarounds. Think "clean room" policies, where agents can't have pens, paper, or even their mobile phones at their desks. These measures drag on efficiency and create a culture of mistrust.

The Failure Modes Nobody Talks About

The traditional approach falls over in a few specific ways we see repeatedly during compliance reviews. Worth naming them explicitly so you can check whether they apply to you:

The unconfigured CRM field — An agent helpfully types the full PAN into a "notes" field while waiting for the payment screen to load. That CRM record gets replicated to a data warehouse, an analytics tool, and a backup tape. You've just put cardholder data in five new systems.
The screen-share moment — Agents on internal calls share their screen to get help. If they're mid-payment, the card details flash on whoever's watching. None of those viewers are background-checked for cardholder data access.
Pause-and-resume gaps — Recording pauses while the customer reads digits, but if the agent forgets to resume, the entire next conversation about delivery details, complaints, or sensitive personal info goes unrecorded. Your QA team has gaps; the customer's data still ended up at the agent's ear.
Home-working blind spots — Remote agents take payments from kitchens and bedrooms. The "clean room" policy that worked in your office is unenforceable on a sofa. Family members, smart speakers, and unlocked screens are all in scope.

The New Way: Secure by Design

Modern payment technology turns this entire process on its head. Instead of pulling sensitive data into your environment, it completely isolates the payment from your infrastructure. This new approach doesn't just solve the security problem; it makes things better for both the customer and the agent.

So, how does it actually work? When it's time to pay, the agent doesn't ask for any card details. Instead, they start a secure, automated process.

Initiation — The agent lets the customer know that for their security, they'll be prompted to enter their details directly.
Secure Capture — The customer uses their telephone keypad to type in their card number. DTMF masking technology stops the agent from hearing the tones, replacing them with a flat, neutral sound.
Direct Processing — The sensitive data travels straight from the customer to the payment processor, completely bypassing the agent, their computer, and all your business systems.
Authorisation Confirmation — The agent gets a simple "approved" or "declined" notification on their screen, with the last four digits of the card and a token reference for any follow-up. No PAN, no CVV.

This secure flow can be adapted for any channel. If you're on a web chat, for instance, the agent simply sends a secure payment link. This opens a separate, PCI-compliant page where the customer can complete the transaction on their own. Same logic applies to SMS, WhatsApp Business, and outbound email: the agent never holds the card data, the link does the heavy lifting.

Comparing Operational Workflows

The difference between these two approaches is night and day. The old way is all about containing risk, while the new way is about eliminating it entirely.

Aspect	Traditional Method (High Risk)	Modern Method (Low Risk)
Data Handling	Agent verbally collects and manually types in card details.	Customer enters details directly using their keypad or a secure link.
PCI Scope	Drags agents, desktops, call recordings, and your network into scope.	Limited to the secure payment provider; your business stays out of scope.
Security Measures	"Clean room" policies and unreliable pause-and-resume recording.	DTMF suppression, tokenization, and full-path encryption from the customer to the processor.
Customer Experience	Awkwardly reading sensitive details aloud, which feels insecure.	Smooth, professional, and builds genuine trust with the customer.
Home-Working Risk	Family members, neighbours, smart speakers can hear card numbers read aloud.	Nothing audible; nothing on the agent's screen worth stealing.

By taking your team and your infrastructure out of the data flow, you make policies like "clean rooms" completely unnecessary. This shift does more than lighten your PCI compliance burden; it lets your team focus on what they do best — serving customers, not policing desks. Moving to a secure-by-design model for card not present payments is a decision that strengthens security, improves efficiency, and builds lasting customer trust.

How Modern Platforms Slash Your PCI Scope#

Bringing in modern security for card-not-present payments isn't just about adding another tool to your stack. It's about changing your relationship with risk. By using a secure payment platform, you strategically remove sensitive card data from your business environment altogether. The knock-on effect? Your PCI DSS scope shrinks significantly, and your compliance headache gets a whole lot smaller.

When card data flows through your agents' screens, your call recordings, and your network, every one of those systems is in PCI scope. Every endpoint needs hardening, monitoring, and annual evidence.

A modern platform routes the card data straight to the payment processor instead. It never lands in your environment, so those systems drop out of scope.

Removing the Valuables from Every Room

This is precisely what solutions like Paytia are built to do. They create a secure channel that ensures sensitive cardholder data never enters your systems in the first place.

Over the phone — DTMF suppression intercepts keypad tones before they can ever reach your agent or your call recording system.
Via chat or email — Secure payment links shift the entire transaction over to a dedicated, PCI-compliant payment page.
Through IVR — Self-service payments where the customer keys details into an automated system that's already isolated from your network.
For recurring charges — Tokenised credentials stored in the vault, not in your CRM, so monthly billing happens without your team ever seeing a card again.

The result is a significant reduction in your PCI scope. Your call recordings no longer hold sensitive data. Your agent desktops are clean. Your network is out of the firing line. The audit process becomes simpler, faster, and far less expensive because there are simply fewer "rooms" you need to prove are secure.

The core idea is simple but powerful: you can't lose what you don't have. By preventing card data from ever entering your environment, you eliminate the primary target for criminals and reduce the burden of protecting it.

What This Looks Like for a UK Contact Centre

Concrete example: a 40-seat UK contact centre taking around 8,000 phone payments a month. Before: full SAQ D-Merchant assessment, every agent workstation hardened, all call recordings encrypted-at-rest with key rotation, network segmentation between voice and data, quarterly ASV scans, annual penetration test on the agent estate. Budget for that compliance overhead lands somewhere between £40k–£90k a year before you've stopped a single fraud attempt.

After moving to a channel-separated capture model: SAQ A-EP or even SAQ A in many cases, agent workstations out of scope, call recordings unredacted because they never held PAN data, no network segmentation needed because there's no cardholder data environment to segment from. The compliance overhead drops to a fraction, and the saved budget can go into actual fraud prevention — velocity checks, device fingerprinting, 3DS2 optimisation.

More Than Just Avoiding Fines

This strategy goes far beyond ticking a compliance box. It's about building a sustainable foundation of trust and security. With card-not-present fraud constantly changing, a proactive defence is the only one that works.

Recent data brings home the urgency. In the first half of 2025, UK Finance reported that card-not-present fraud incidents surged by a staggering 22%, making it one of the fastest-growing types of financial crime. This trend shows that criminals are relentlessly targeting remote payment channels, making solid security a genuine necessity rather than a nice-to-have. You can find more details in the UK Finance fraud report.

By implementing a platform that de-scopes your environment, you shield your business from the financial and reputational fallout of a data breach. You also give your customers a secure and reassuring payment experience, showing them you take their security seriously. Our guide on using payment by link solutions explores one popular method for achieving this.

Shrinking your PCI scope isn't just a technical fix — it's a smart, strategic move that strengthens your business from the inside out.

Common Questions About CNP Security#

Getting to grips with card not present security always brings up a few practical questions. Here are some of the most common ones we hear from businesses looking to make their payment processes safer.

Does a Secure Payment Platform Get Rid of Our PCI DSS Responsibilities?

Not completely, but it makes a significant difference. While a secure platform like Paytia can cut your PCI DSS scope by as much as 95%, you'll still need to complete an annual Self-Assessment Questionnaire (SAQ).

The good news? That process becomes much simpler, faster, and cheaper. Because your systems no longer touch, store, or see sensitive cardholder data, the scope of your audit shrinks to a fraction of what it was.

How Does DTMF Masking Actually Work on a Live Call?

It's a clever piece of technology that's surprisingly straightforward in practice. When a customer taps their card details into their telephone keypad, DTMF masking technology intercepts those tones before they can reach your agent or get picked up by your call recording system.

Your agent just hears a flat, monotone beep to confirm a key was pressed, but the actual sensitive tones are routed directly and securely to the payment processor. This means the card data for the card not present transaction never enters your environment.

Can We Really Take Payments Securely Through Web Chat?

Yes. Asking a customer to type their card details into the chat window is a serious security and compliance problem. A modern approach lets an agent generate and send a secure payment link right in the chat.

The customer clicks the link, which opens a secure, branded payment page where they can finish the transaction. This keeps all sensitive data completely separate from the chat log and your business systems. It's a simple switch that turns a high-risk interaction into a completely secure and compliant one.

Ready to take the risk and complexity out of card-not-present payments? See how Paytia can shrink your PCI scope and secure every single transaction. Explore our solutions today.

Reduce CNP fraud with channel separation

Paytia separates the audio channel during card entry so card data never enters your call recording. Lower fraud risk, lower PCI scope, same conversation flow your agents already know.

Book a 15-min demo How channel separation works Talk to us →

For the product side, see our DTMF masking solution.

Want to see this working in your setup? Book a working-demo call — we'll wire up your actual phone system and show you a live capture.

Card Not Present (CNP) Explained: Risks and How to Reduce