If you're running a business where customers pay by calling you, there are more options than most people realise — and more compliance traps than most people expect. This guide works through how to take card payments over the phone in the UK, what each approach means for PCI compliance, and how to pick the right setup for your situation.
There are four practical ways to do it. Each one puts a different level of card data inside your business environment, and that difference matters when it comes to your PCI obligations.
The four ways to take card payments over the phone#
Live agent with manual card entry
This is how most businesses start: a customer calls in, your agent asks for the card number, and the agent types it into a payment terminal or web-based gateway. It's simple to set up, works with almost any payment processor, and needs no specialist telephony equipment.
The problem is scope. The moment your agent hears a card number, every system that agent touches — the CRM they're working in, the call recording software capturing the conversation, the network their laptop is sitting on — becomes part of your PCI cardholder data environment. That puts you on SAQ D, which runs to around 329 individual requirements. For most small and mid-sized businesses, that's a serious compliance overhead they weren't expecting when they signed up for a phone payment facility.
There's also the call recording issue. PCI DSS 4.0.1 is explicit: sensitive authentication data, including the CVV, must not be stored after authorisation. If your call recording system captures a customer reading out their three-digit security code, those recordings contain sensitive authentication data and need to be handled accordingly — which typically means redacting them or locking them down under tight access controls.
DTMF keypad entry
DTMF stands for dual-tone multi-frequency — the tones your phone generates when you press the keypad. With a DTMF-based payment system, instead of reading their card number aloud to your agent, the customer keys it in on their phone. The agent stays on the line and the conversation carries on normally, but the card digits go directly to a certified payment processor without passing through your network or your call recording.
DTMF masking is the specific technology that makes this work — it suppresses the keypress tones so they can't be heard or captured by your telephony system. When it's properly in place, you can typically move from SAQ D to a much shorter questionnaire, because card data genuinely doesn't enter your environment at all. The customer experience is good too: there's no awkward read-out-loud moment, and the agent can guide the customer through keying in their details while the conversation continues naturally throughout.
IVR and automated self-service
An Interactive Voice Response system handles the payment entirely without a live agent. The customer calls a number, navigates an automated menu, and keys their card details directly into the IVR system, which passes them to a payment processor. Your call centre never handles the card data.
IVR works well for repeat transactions, utility bill payments, subscription renewals, and any scenario where the payment itself is the point of the call. For more complex transactions where the customer needs to talk through their account first, you'd typically start with a live agent and transfer to the IVR payment step at the right moment — which is where an agent-assisted payment flow comes in. Our telephone payments page covers both IVR and agent-assisted flows in detail, including the integrations we support with common contact centre and telephony platforms.
Payment links sent during the call
The fourth option is to send the customer a payment link by SMS or email while they're on the call. The agent generates the link, the customer pays on their phone or browser, and the agent can see the confirmation come through in real time. No card data passes through your telephony environment — the customer pays through a hosted payment page that sits entirely within your payment processor's infrastructure.
Payment links are particularly useful for outbound collections calls, where the customer may be more comfortable paying themselves rather than reading card details over a phone line. They're also easy to implement, since you're essentially just triggering a link that your payment processor already provides.
The PCI compliance trap#
The compliance picture for phone payments catches people out more than almost any other payment channel. The core rule is straightforward: any system that touches card data is in scope, and any system connected to one of those is also in scope unless it's properly segmented. In a phone payment environment, the connectivity goes further than most people expect.
When an agent takes a card number verbally, the audio passes through your telephony system, your call recording platform, the agent's headset, their computer, the network they're sitting on, and whatever CRM or payment gateway they're typing into. All of it is in scope. If you've got multiple agents, all of their environments are in scope. If your call recording is archived to a shared storage server, that server is in scope. If your QA team reviews recordings to check call quality, the systems they use are in scope.
That's how businesses end up on SAQ D with 329 requirements when they thought they were running a simple phone payment operation. SAQ D is designed for full card data environments — it's the questionnaire for businesses that store, process or transmit card data in systems they own and control. It requires penetration testing, network segmentation, detailed logging, vulnerability scanning, and an annual third-party assessment for higher-volume merchants. Our PCI-compliant call centre page has a fuller breakdown of how the SAQ tiers map to different payment architectures.
How DTMF masking takes you out of scope#
DTMF masking works at the audio level. When your telephony system detects that the customer has entered keypad tones, the masking layer intercepts those tones before they reach the call recording or the agent's audio stream. The card number travels directly to a certified payment service provider — in Paytia's case, to the acquirer through our PCI DSS Level 1 infrastructure. Nothing card-related touches your network.
On the agent side, what you'd see is flat replacement tones instead of the actual keypad tones, then a payment confirmation arriving on screen once the transaction is authorised. The agent can keep talking to the customer throughout. The call recording captures the conversation but contains no card data. Your QA team can review recordings without worrying about cardholder exposure. Your CRM, your recording archive, your network — none of them have handled card information.
The compliance position shifts accordingly. Rather than SAQ D, businesses using a properly implemented DTMF masking solution from a Level 1 provider can typically qualify for a much shorter questionnaire, because the cardholder data environment is the provider's, not yours. We've covered how this works technically on our take card payments over the phone solution page.
What it costs and how to choose#
Costs vary depending on your setup and call volume. Most providers charge a monthly platform fee plus a per-transaction fee; some include the telephony integration, some don't. For high-volume contact centres, pricing is usually agreed separately based on your specific setup.
The more useful cost comparison is the total picture — platform fee versus what SAQ D compliance costs you if you stay on manual entry. A full SAQ D process, combined with penetration testing, vulnerability scanning, and the IT overhead of keeping a large card data environment compliant, typically runs to several thousand pounds a year for a mid-sized operation. A DTMF masking platform that takes you out of that scope often pays for itself in reduced compliance overhead within the first year.
When you're evaluating providers, the things that matter most are: PCI DSS Level 1 certification (not just "PCI compliant" — ask for their Attestation of Compliance), integration with your existing telephony setup, what the agent experience looks like during a payment call, and how quickly you can go live. We integrate with Aircall, 3CX, Zoom, and most major contact centre platforms, and most customers are live within a few days.
Getting started#
If you're starting from scratch, the simplest path is usually to get a DTMF masking solution integrated with your existing phone system and point it at the payment processor you're already using. You typically don't need to change your acquirer or your CRM — the masking layer sits in front of your telephony and handles the secure capture, then passes the authorisation confirmation back into your workflow.
If you're currently taking card numbers manually and want to understand exactly where your compliance boundary sits before deciding what to change, that's a reasonable starting point too. We can work through your current setup and show you where the scope lines are. Get in touch or book a demo and we'll walk through it using your actual phone system.
Take card payments over the phone without the PCI headache
Paytia integrates with Aircall, 3CX, Zoom, and most major contact centre platforms. UK Companies House registered, PCI DSS Level 1, Cyber Essentials Plus. Most setups go live within days.




