DTMF masking benefits: why channel separation pays off

Last updated: 29 May 2026

DTMF masking is the technique that stops a customer's card number ending up in your call recordings, your transcripts, or your agents' notepads. The customer types their digits, and your systems never see the raw data. Done properly, it shrinks your PCI DSS scope and lets agents stay on the call while the payment goes through.

There are a few ways to deliver DTMF masking. The cleanest one is channel separation — the audio path between agent and customer is split for the few seconds it takes to enter card details, so the agent hears nothing and the system captures only what it needs. That's the approach we use at Paytia. Most of this post is about why it earns its keep on the revenue side, not just the security side.

We've written this for the people who actually have to make the call — finance directors signing off the budget, heads of contact centre worried about agent productivity, compliance leads staring down their next PCI DSS v4.0.1 assessment. If you want the technical comparison with the other masking approaches, our channel separation vs DTMF suppression guide goes deeper. This post is about the money.

The Hidden Cost of Insecure Phone Payments#

Every time a customer hesitates to give card details over the phone, you lose revenue. Every time an agent has to pause call recording or move to a "secure room," you lose efficiency. Every time you chase invoices because you couldn't take payment during the call, you lose cash flow.

Channel Separation fixes all three problems at once.

The invoice trap

The invoice chasing alone is a bigger drain than most businesses realise. A customer agrees to a service, the agent says they'll send an invoice, and then the waiting starts. Payment terms of 30 days stretch to 45, then 60. Your finance team sends reminders. The customer means to pay but keeps forgetting. Eventually the money arrives — minus the time your team spent chasing it.

UK Finance's commercial payments data has been pointing at the same problem for years — late payment is the single biggest cash-flow drag on small and mid-sized businesses. The interesting bit is that for a lot of these businesses, the original payment moment was a phone call where the customer was perfectly willing to pay. They didn't pay then because the process was awkward. They didn't pay later because life got in the way.

With Channel Separation, that payment happens during the original call. The work is done, the customer is happy, and the money is in your account before the conversation ends. Days Sales Outstanding (DSO) on the calls that go through this route drops to zero. That's not a marketing line — it's just what same-call settlement does to the metric.

The cost of the "secure room" model

If you're not masking, your agents are in scope for PCI DSS. That usually means a controlled environment — restricted access, clean-desk rules, no personal phones, dedicated CCTV in some setups. Building and maintaining that environment costs money. Operating it costs more. And it limits where and when your team can work.

Pause-and-resume on the recorder is the most common alternative, and it's a leaky one. Your QSA will ask uncomfortable questions about who can re-enable the recorder mid-call, what happens if pause fails, and how you prove no operator ever wrote the digits down. The honest answer is usually "we hope." Channel separation removes the question by removing the data.

The hidden cost of awkward payment moments

There's a quieter cost that doesn't show up on a spreadsheet — call abandonment at the payment step. Customers who are perfectly happy to buy get nervous when the agent says "right, I'm going to pause the recording and ask for your card." A small percentage hang up. A few more say they'll call back. Almost none of those actually call back. You've earned the sale and then thrown it away on a security ritual that makes the customer feel like they're being handled rather than served.

How Channel Separation Actually Works#

When it's time to enter card details, the audio path between your agent and customer is completely disconnected. The customer enters their information using their phone keypad while the system plays instruction messages to each party separately. The agent hears hold music and progress messages, so call recordings have no audio gaps. It also stops bad actors from asking for card details to be repeated verbally, and removes any possibility of sensitive data being spoken aloud. The system delivers consistent audio instructions to both sides, so no agent training is needed.

The few seconds that matter

The disconnection is brief — typically under two minutes — and the customer knows what's happening throughout. They hear clear prompts telling them which field to enter (card number, expiry date, CVV) and the system validates each entry in real time. If they make a mistake, they're asked to re-enter. When the payment is confirmed, the audio path reconnects and the conversation picks up where it left off.

What the agent sees

The agent doesn't sit there twiddling their thumbs. They see a progress display in their browser — "Card number entered", "Expiry entered", "CVV captured", "Authorising", "Approved". They can see exactly what stage the customer is at, so if anything goes wrong they can step back in and help. They just can't see, hear, or capture the actual digits. That's the whole point.

What the recording captures

This bit matters for compliance. The call recording continues uninterrupted. The agent's side has continuous audio — hold music and the progress prompts. The customer's side either records silence or, in some configurations, the masked tones themselves (which contain no decodable information because each digit is rewritten to a single non-DTMF tone before it hits anything that could store it). Either way, the recording contains no card data, no gap, no pause artefact. Your recording integrity story stays intact.

How card data actually reaches the bank

The captured digits travel from the customer's phone, through the masking platform, straight to the acquiring bank's tokenisation service. Your network never carries the raw PAN. The merchant systems get back a transaction reference and a token — useful for refunds, useless to a thief. This is the architecture PCI DSS v4.0.1 is steering everyone towards anyway. You're just getting there faster.

Curious how Paytia fits in? Have a quick chat with us — we'll show you in 15 minutes whether we're a fit.

The Revenue Impact#

The compliance case is the obvious one. The revenue case is the one that gets channel separation actually deployed. Here's where the numbers come from.

Same-call settlement closes the cash gap

Immediate payment capture is the most obvious benefit. No more waiting for invoices to be paid. Customers pay during the call, improving your cash flow and cutting administrative overhead. For businesses that currently rely on post-call invoicing, the shift to same-call payment can cut average days-to-payment from weeks down to zero.

That translates into a one-off working-capital uplift the first time you switch — the invoices that would have been in the 30–60 day bucket are now cash today — plus an ongoing benefit because you stop accumulating receivables you'll need to chase later. Finance teams get the immediate win and the structural improvement.

Upsell space opens up naturally

Agents can confirm orders and discuss add-ons before the payment process starts. After payment's done, the conversation continues — there's a natural opening to suggest additional products or services. Because the payment step is smooth and quick, it doesn't disrupt the sales momentum the way a clunky payment process would.

Compare that with pause-and-resume, where the awkward ritual ("right, let me pause the recording, can you confirm you're happy for me to take payment now…") kills the rhythm of the call. Once you've stalled out, getting the customer back into a buying frame of mind is hard work. Channel separation keeps the conversation flowing.

Reduced no-shows for service businesses

When customers commit to payment during the call, they follow through. No more chasing people who said they'd pay later. For appointment-based businesses — clinics, training providers, consultants — taking payment at booking eliminates the no-show problem almost entirely.

This effect is bigger than people expect. A clinic that converts 70% of bookings into actual attendances might shift to 95% when payment is taken at booking. That's not just five percentage points — it's a near-elimination of the wasted slot problem, which is where most service-business margin leaks.

Higher conversion at the payment step

Customers trust the process more when they know their data is completely protected and can't be overheard or repeated verbally. That trust translates into willingness to complete the transaction on the spot rather than deferring to another channel. We see businesses moving from 60–70% same-call payment completion under pause-and-resume to 90%+ with channel separation. Most of that gain comes from removing the moment where the customer thinks "actually I'll do this online later" — because the online "later" never happens for a good chunk of them.

Recovered productivity for the credit control team

The team chasing the invoices is a real cost, and it's a cost that scales with how badly your phone payment process performs. Move 80% of phone-originated payments to same-call settlement and that team's workload drops dramatically. Most businesses either redeploy those people onto higher-value work or simply absorb the saving into next year's headcount plan. Either way, the line item shrinks.

The Compliance Advantage#

For the underlying standard, see the PCI DSS document library — the requirements that DTMF masking helps you satisfy live there.

Channel Separation cuts your PCI DSS compliance requirements by up to 95%. Since sensitive card data never touches your systems, staff, or processes, you no longer need secure "clean room" environments, pausing call recordings during payments, extra controls for remote workers, or complex data handling procedures.

What PCI DSS v4.0.1 actually says about phone payments

PCI DSS v4.0.1 went into effect after v4.0 was retired, and as of 2026 it's the version your QSA will assess against. The phone payment requirements haven't fundamentally changed from v3.2.1, but the documentation and evidence burden has. You need clearer scoping, better proof of control effectiveness, and — under requirement 12.5.2 — annual scope confirmation. Less data in scope means less to document, less to test, and less to defend.

The specific requirements channel separation removes from your day-to-day worry list include 3.x (protect stored account data — you're not storing it), 8.x (identify and authenticate access to system components — your agent isn't a component that touches card data), and large chunks of 10.x (log and monitor access — you can't log access to data you never had). You'll still have requirements that apply because you're still a merchant, but the SAQ shifts from D to A in most setups, and an SAQ A is short enough to read on a train journey.

SAQ A vs SAQ D — what changes for your team

SAQ D is roughly 330 questions. SAQ A is roughly 30. That's not just paperwork; each question generally has an associated control you have to evidence. Going from D to A typically saves a mid-sized business 4–8 weeks of compliance work a year. If your IT team is already stretched, that's a meaningful reclaim.

GDPR and the recording problem

For businesses with GDPR obligations, there's an additional benefit. When card data never enters your recordings or systems, there's nothing to protect under data subject access requests and nothing to delete under erasure requests. Your data protection officer's life gets considerably easier.

The ICO has been clear in its guidance that card details captured in call recordings count as personal data and need to be protected accordingly. The cleanest way to satisfy that — and to avoid the awkward exercise of redacting historic recordings every time someone files a SAR — is to make sure the data never enters the recording in the first place. Channel separation does exactly that.

Why this isn't security theatre

This isn't just about avoiding fines — it's about running your business without security theatre. The operational savings are real. No more awkward pauses in calls. No more worrying about whether remote workers are taking payments from a compliant location. No more annual PCI assessments that tie up your IT team for weeks. When card data stays out of your environment, the compliance burden drops dramatically and your team can focus on the work that actually matters.

Remote and Hybrid Working: Channel Separation Makes It Simple#

The shift to remote and hybrid working created a real headache for businesses that take phone payments. Under traditional PCI DSS models, agents processing card payments need to work in a controlled, monitored environment — typically a supervised office with restricted desk policies, no personal devices, and sometimes even no pen and paper. Replicating that at someone's kitchen table is, to put it mildly, difficult.

What businesses tried before masking

Some businesses responded by banning remote workers from taking payments entirely. Others tried to enforce home-working policies that were almost impossible to verify — "make sure nobody else is in the room when you process a payment" isn't exactly enforceable when you can't see the room. A few invested heavily in virtual desktop infrastructure and monitoring software, adding cost and complexity that smaller businesses couldn't afford.

What changes when the agent never touches card data

Channel Separation cuts through all of this. Because card data never reaches the agent — whether they're in a head office, a branch, a co-working space, or their spare bedroom — the location doesn't matter. The same security applies everywhere. There's no need for clean-desk audits, no need for monitoring software, and no need to restrict which staff can take payments based on where they're sitting that day.

For businesses with agent-assisted payment workflows, this is transformative. Your entire team can take payments securely from any location, on any shift pattern, without you having to worry about whether their home setup meets PCI DSS requirements. The technology handles the security. Your people handle the customers.

The recruitment angle

This matters for recruitment too. If you can only offer payment-handling roles to people willing to work on-site five days a week, your talent pool shrinks. Offer flexible, hybrid working with the same payment capabilities, and you attract a wider range of candidates — including experienced agents who left the industry specifically because of rigid location requirements.

UK contact centre recruitment is competitive and getting harder. The businesses that can offer a real remote option without compromising compliance are winning the experienced staff. The ones that can't are paying premium agency rates to backfill turnover. The cost difference shows up in the annual budget pretty quickly.

Customer Experience Wins#

Customers get business-grade security with a professional, straightforward process. They receive clear instructions for entering their card details, knowing their data can't be overheard or repeated verbally. The whole thing feels secure and professional — not like going through a security checkpoint. The system delivers consistent instructions to both customer and agent every single time. No gaps in call recordings, no confusion about the process, and no risk of sensitive data being spoken aloud.

What the customer actually experiences

From the customer's side, the process is simple. They're chatting to the agent, the agent says "I'll move you to our secure payment system now — please enter your card number when prompted, and we'll be back in conversation in about 90 seconds." They hear a clear automated prompt, type their card number on the keypad, hear "Now your expiry date please", type that, and so on. At the end they hear "Payment approved, transferring you back to your agent." The agent comes back on and confirms the details. Job done.

We hear consistently from businesses that their customers comment positively on the experience. "That was easy" and "I wish every company did it that way" are common pieces of feedback. When the payment step is smooth rather than stressful, it changes the entire tone of the interaction.

What the customer doesn't have to do

They don't have to read their card number out loud where someone in the office overhears it. They don't have to be told the call is being paused and worry about whether the pause actually worked. They don't have to be sent to a different website. They don't have to receive a payment link by SMS, click it on a smaller screen, and squint at fields. They stay on the phone, in the conversation, and pay using their card the way humans have been paying for cards on phones for decades — by pressing buttons.

Accessibility considerations

The phone keypad is one of the most universally accessible payment input methods. It works for customers who can't easily use a smartphone, can't read a payment link on a small screen, or are calling from a landline because that's their preferred channel. Older customers and customers with visual impairments often prefer phone payment over web payment for exactly this reason. Channel separation keeps that accessibility while solving the compliance side.

Implementation Reality#

Channel Separation typically deploys within one day to one week, depending on your existing telephony setup. No staff training required — the technology handles the complexity while your agents focus on the customer. It works with most phone systems and fits into your existing workflow without disruption. You keep doing things the way you do now, but with enterprise-level security added on top.

What integration looks like

For most cloud telephony platforms, integration is a matter of configuring a transfer destination, adding the payment platform's URLs to your agent desktop or CRM, and running a few test transactions through. We've done this with all of the common cloud contact centre platforms — Genesys, Five9, NICE CXone, Talkdesk, RingCentral, Amazon Connect, 8x8 — and the pattern is consistent. The hard part isn't the technology; it's deciding which call flows you want masking on.

What it doesn't change

Channel separation sits alongside your existing systems. It doesn't replace your CRM, your telephony, your call recorder, your acquirer relationship, or your accounting software. It doesn't change how reporting works — transactions still appear in your acquirer's portal the same way they do today. It doesn't require you to retrain agents, because the agent's workflow stays the same right up to the moment the payment kicks off.

What does need attention

The conversation that matters most isn't technical — it's procedural. Who can initiate a payment? What's the script the agent uses to set up the masked sequence? What happens when a card fails authorisation and the agent needs to ask for a different card? What's the refund path? These are 30-minute decisions, but they're worth making properly before go-live rather than discovering them in week three.

Who Channel Separation Works For#

Channel Separation works well for any business taking phone payments where the relationship with the customer matters. The technology adapts to different use cases, but the core benefit is always the same: secure payment capture without interrupting the conversation.

Retail and e-commerce

Retail and e-commerce businesses use Channel Separation to capture payments during order-line calls. A customer phones in to place an order, the agent confirms the items and delivery address, and payment happens mid-call without the agent ever seeing the card details. For retailers handling returns or exchanges, the same process works in reverse — refunds process through the same secure channel, keeping everything in one interaction rather than sending the customer to a different payment method.

Healthcare and medical services

Healthcare and medical services find it particularly valuable for clearing outstanding balances and taking deposits. A patient calls about an appointment, the receptionist confirms the details, and the deposit or co-pay is taken during the same call. No invoice to send, no payment to chase, and no card data sitting in the practice management system. For NHS-adjacent private providers and dentistry groups, the GDPR cleanup angle is just as valuable as the PCI angle.

Education and training providers

Education and training providers use it to secure bookings with upfront payment. When a prospective student calls to enrol on a course, the payment happens during the conversation. This eliminates the gap between "I'd like to sign up" and "I'll pay when I get the invoice" — a gap where a significant percentage of enrolments quietly disappear.

Charities and non-profits

Charities and non-profits capture donations during fundraising calls, telethons, and follow-up conversations. The emotional connection of a phone call drives higher donation values than online giving alone, and Channel Separation means that advantage doesn't come with a compliance burden attached. The Fundraising Regulator's expectations around donor data have only got firmer, and channel separation makes the response to those expectations a lot simpler.

Contact centres and service providers

Contact centres and service providers process payments as part of everyday customer interactions — from settling accounts to taking renewal payments. For high-volume operations, the consistency of the automated process is as important as the security. Every payment follows the same steps, every time, regardless of which agent handles the call.

Housing associations and local authorities

Housing associations taking rent and service charge payments by phone get a particularly clean win. The customer base often prefers phone over web, the call volumes are high, and the compliance burden under PCI DSS plus public-sector data handling rules can be onerous. Channel separation simplifies both sides at once. Local authorities collecting council tax, parking fines, and licence fees see similar benefits — and crucially, can offer the service to residents without forcing them onto a self-service portal.

Insurance brokers and financial services

Insurance brokers handling renewal premiums, policy excess payments, and add-on cover purchases use channel separation to keep the sale closing on the call. The FCA's expectations on customer treatment include making it easy for people to complete the transaction they came to do — not bouncing them onto a separate payment channel that they may or may not follow through on. Same logic applies to FX bureaux, mortgage brokers, and anyone whose conversation naturally ends with "and how would you like to pay?"

The unifying pattern

Insurance brokers, utilities, local authorities, membership organisations, debt collection agencies — if your business involves conversations that end with "and would you like to pay that now?", Channel Separation makes the answer "yes" more likely and the process more secure.

Edge Cases and Failure Modes Worth Knowing About#

No system is perfect, and the honest version of this story includes the bits that go wrong. Here's what to plan for.

Customer enters the wrong card number

The acquirer rejects the transaction. The customer hears a clear message ("Card declined — please try a different card or check the number"), and the agent sees the same on their progress display. They can step in, ask the customer to use a different card, and restart the payment sequence. Total time lost: maybe 30 seconds. Compare that with pause-and-resume, where the agent has to ask the customer to repeat digits over a recorded line, then hope nothing got mistranscribed.

Customer hangs up mid-payment

No transaction completes, no card data is stored anywhere, and your CRM doesn't end up with a half-finished record. You call them back if appropriate. Clean failure mode.

Agent loses their internet connection

The masking session is held by the payment platform, not by the agent's browser. If the agent drops, the customer can usually still complete the payment (because the audio path is between them and the platform, not them and the agent). When the agent reconnects, they see whether the transaction completed.

Carrier drops DTMF tones

Some VoIP carriers compress audio aggressively and can mangle DTMF if it's sent in-band. This is rare with modern SIP setups but worth testing. Out-of-band DTMF (RFC 2833 / RFC 4733) is standard and reliable. Channel separation platforms negotiate this with the carrier — but if you're on a particularly old or quirky telephony setup, do a few test calls before assuming it works.

Disputes and chargebacks

Chargebacks work the same way they always have. The transaction reference and authorisation code from the masked session are valid for chargeback defence, and your acquirer will accept them. You don't lose any of the documentary trail you'd normally have — you just don't have the PAN sitting in your CRM.

Channel Separation vs the Standard Alternative#

The standard alternative most businesses are still running is pause-and-resume on the call recorder. Sometimes this is dressed up with extra controls — for example, the agent has to enter a code to re-enable recording, or a supervisor signs off the pause — but the architecture is the same: the agent hears the digits, says them back to confirm, and the recording is paused for that window.

What pause-and-resume gets wrong

Pause-and-resume puts the agent inside the cardholder data environment. Every agent is in PCI scope. Every workstation they sit at is in scope. Every line they use is in scope. The data is in your environment in real time, even if you don't store it — and "don't store it" is a control you can't actually prove to a QSA's satisfaction, because the audio went through your network.

It also has operational failure modes that channel separation doesn't. The pause can fail silently, leaving card data in the recording. An agent under pressure can forget to pause. A new agent can be trained to pause incorrectly. The recovery from a missed pause involves manually redacting the recording, which is grim work that often doesn't actually happen.

What channel separation gets right

The data never enters your environment. There's no pause to fail, no manual step to skip, no transcript to redact. The PCI scope reduction is real and provable. The agent stays productive. The customer's experience is consistently smooth. And — the bit finance always cares about — you stop bleeding cash on chasing invoices that should have settled on the call.

When pause-and-resume might still make sense

Honestly, almost never in 2026. If your call volume is tiny, your compliance pressure is minimal, and you genuinely don't care about the CX or productivity side, pause-and-resume is cheaper to operate (because you don't pay a transaction fee to a third party). For everyone else, the channel separation maths is clearly better. Our DTMF masking vs pause-and-resume comparison walks through the numbers.

Pricing and ROI — How to Think About the Investment#

Channel separation is generally billed per transaction (sometimes per minute, sometimes a hybrid). The price per transaction is small — a few pence to tens of pence depending on volume — and the question for any finance director is whether the savings justify it.

The savings side of the equation

Reduced PCI compliance cost (typically tens of thousands a year for mid-sized businesses moving from SAQ D to SAQ A). Reduced credit control workload (proportional to how much of your phone payment volume currently ends up as invoiced terms). Increased same-call conversion (worth real money once you multiply the percentage gain by your average transaction value). Reduced agent training cost. Reduced "secure room" infrastructure cost. Plus the cash-flow benefit of stopping accumulating receivables.

How to model it for your business

Take your annual phone payment volume. Estimate what proportion currently settles on the call vs gets invoiced. Estimate the conversion lift from removing the awkward pause-and-resume step (we'd suggest a conservative 5–10 percentage points). Multiply by your average transaction value. Add the PCI compliance reduction. Compare against the per-transaction fee multiplied by your volume. For most businesses doing more than a few hundred phone payments a month, channel separation pays back in well under a year.

What to ask any vendor

Is the price per transaction, per minute, or per agent seat? Are there setup fees? Are there minimum monthly commitments? Are refunds charged at the same rate as authorisations? Can you cap monthly spend? What happens to the price if your volume drops in a quiet period? These are simple questions but the answers vary wildly across the market.

The Competitive Edge#

While your competitors deal with compliance headaches and security concerns, you're capturing more sales and building stronger customer relationships. Channel Separation turns payment security from a cost centre into something that actively drives revenue. The technology that protects your customers also protects your business — from compliance risks, from lost sales, from operational drag. That's not just good security. That's good business.

If you're building the business case internally, the strongest pitch is usually the cash-flow one. Compliance reductions get IT excited, but cash-flow improvements get the finance director to sign. Lead with the same-call settlement maths, support it with the PCI scope reduction, and finish with the operational simplification. That sequence has worked for every successful business case we've watched land at a UK board meeting.

Frequently asked questions#

What is DTMF masking?

DTMF masking is a technique that stops a customer's card details — the digits they type on their phone keypad — from being heard by your agent or stored in your call recordings. The customer's tones are intercepted before they reach your systems, so the card number never enters your environment in the first place.

Is DTMF masking PCI compliant?

DTMF masking on its own doesn't make you PCI compliant — PCI DSS covers a lot more than just phone payments. But it does remove one of the biggest PCI scope problems: your agents, call recordings, and transcripts stop being in scope because they never touch cardholder data. That can move you from a full SAQ D self-assessment down to a much shorter SAQ A. The full PCI standard is published by the PCI Security Standards Council.

What's the difference between DTMF masking and channel separation?

DTMF masking is the outcome — the agent and the recording never get the raw card digits. Channel separation is one way to deliver that outcome: the audio path is split for the few seconds card entry happens. Other techniques exist (suppression, clamping), but channel separation is the cleanest because nothing has to "scrub" tones after the fact — they simply don't reach your side of the call.

Does DTMF masking work with cloud contact centre platforms?

Yes — and it's actually easier with cloud platforms than with on-premise PBXs, because the routing happens in software. Most modern cloud contact centres support either native masking modules or integrations with payment platforms like Paytia. We've integrated with all of the common ones — Genesys, Five9, NICE CXone, Talkdesk, RingCentral, Amazon Connect, 8x8 — and the integration pattern is straightforward.

Will my agents still be able to help the customer during the payment?

Yes. The agent stays on the line and can see progress indicators (e.g., "card number entered", "expiry entered") without ever hearing or seeing the digits themselves. If the customer makes a mistake, the agent can guide them through a retry. The conversational experience doesn't break.

What does DTMF stand for?

Dual-Tone Multi-Frequency. It's the technical name for the sound your phone makes when you press a key on the keypad — each digit is a unique combination of two audio frequencies layered together. DTMF was invented in the 1960s to replace pulse dialling.

How long does channel separation take to implement?

Most deployments are live within a week, sometimes within a day. The technical configuration is genuinely quick — adding a transfer destination to your telephony, configuring the masking platform with your acquirer details, and putting the payment URL into your agent desktop. What takes longer is the procedural decisions: which call flows you mask, what the agent's script sounds like, how you handle refunds. We typically run a kick-off call, get the integration ready in 2–3 days, then run a few test calls before going live with one team. Full roll-out across a larger contact centre might take 2–4 weeks if you want to phase it carefully.

What happens to my existing call recordings — do I have to delete them?

You don't have to delete them, but you should think about retention. If your historic recordings contain card data captured under pause-and-resume (or worse, no masking at all), that data is still in scope until those recordings expire. The simplest path is to keep your normal retention policy and let the old data age out naturally, while new recordings from the masking go-live date contain no card data. If you have specific obligations to act faster — for example after a SAR or following a breach — work with your DPO on a redaction plan.

How much does channel separation cost?

Pricing varies by volume and platform, but for most UK SMEs and mid-market businesses it works out to a small fee per transaction — typically a few pence to tens of pence per payment, with no minimum commitment for most of the channel separation platforms on the market. The PCI compliance savings alone usually cover the cost several times over. We're happy to put together a specific cost model for your call volume — have a quick chat with us and we'll do the maths together.

Does channel separation work for refunds as well as new payments?

Yes. Refunds typically run through the same secure channel, with the customer keying in the card number to refund. In many setups you can also process refunds against the original transaction token — which means the customer doesn't even need to re-enter their card details for a refund. The exact options depend on your acquirer's tokenisation support, but most modern UK acquirers handle this well.

Related guides in this cluster#

For the product side, see our DTMF masking solution.

Curious how Paytia fits in? Have a quick chat with us — we'll show you in 15 minutes whether we're a fit.