If you take card payments over the phone, you've probably met the big three: pause and resume, DTMF masking, and channel separation. They sound similar. They're not. The differences matter — for your PCI DSS audit and for the people who actually work on the phones.
What Is Pause and Resume?
Pause and resume is the oldest approach, and it's exactly what it sounds like. When the customer is ready to give their card details, the agent manually pauses the call recording, the customer reads out their card number and CVV, and the agent resumes recording once the payment is done.
It's simple to understand, and for a long time it was the default answer to "how do we handle PCI?" in contact centres. The problem is that it only addresses one part of the problem — the recording — and it relies entirely on the agent doing the right thing at the right time.
Why Pause and Resume Falls Short
The most obvious issue is that your agent still hears the card number. They're sitting there, on the call, while the customer reads out 16 digits, an expiry date, and a 3-digit security code. That means your agent is a point of exposure. Their workstation is a point of exposure. If there's anyone else within earshot, they're one too.
PCI DSS is concerned with all of that. The standard talks about protecting cardholder data — not just recording cardholder data. An agent who can hear a card number and scribble it on a Post-it note is a risk regardless of whether the recorder is running.
Then there's everything that can go wrong operationally. Agents forget to pause, or they forget to resume — either way, the recording is now a problem. You can't easily prove to a QSA that every pause happened at the right moment, because call recording metadata rarely gives you a clean audit trail. Recordings end up with gaps, which makes them harder to use for training or disputes. And every payment now has a manual pause-take-details-resume step inserted into the middle of it, which adds friction and pushes up average handle time.
To be fair, pause and resume can meet PCI DSS — but it takes tight process controls, regular agent training, and careful auditing to sustain that at scale. For most contact centres, it's the compliance path of last resort, not the right answer.
Paytia doesn't offer pause and resume. That's deliberate. We don't think it protects customers or reduces risk for agents the way the alternatives do.
What Is DTMF Masking?
DTMF stands for Dual-Tone Multi-Frequency — the tones your phone generates when you press a key. Press 4 on your keypad and your phone sends a specific audio tone. DTMF masking intercepts those tones and swaps them for a flat, neutral beep before they reach the agent's headset or the call recorder.
Here's what a payment looks like with DTMF masking:
- The agent stays on the call throughout.
- The customer is prompted to key in their card number on their phone keypad.
- As each digit is pressed, the DTMF tone is detected and replaced with a flat beep.
- The agent hears beeps. The recording captures beeps. Neither gets the actual digits.
- The payment completes in the background via a secure payment gateway.
The customer never has to read their card number aloud. The agent never hears it. The recording never contains it. One technique, two problems solved.
What DTMF Masking Gets Right
Agents are never exposed to card data, so there's nothing to mishear, nothing to scribble down, and no insider risk. The process is consistent on every call because the technology handles it, not the person. Call recordings stay running start to finish, which means you keep full call quality data for training and disputes — just without any card data in it. No pause means no missing chunks of conversation and no awkward "agent resumed 40 seconds late" moments for the audit. And because card data never enters your environment, large parts of your infrastructure fall outside PCI scope entirely.
DTMF masking is a core feature of the Paytia platform.
What Is Channel Separation?
Channel separation goes a step further. Instead of masking card data within the existing call, it moves the payment onto an entirely separate audio channel — one that your contact centre infrastructure never touches.
When the payment begins, the customer's audio effectively splits in two. Their voice stays on the main call (so the agent can keep talking to them, reassure them, and confirm everything's fine), but the keypad tones go to a separate, isolated channel that connects directly to the payment system.
The practical effect: there's no path for card data to reach your systems at all. Not even the masked version. It's handled entirely outside your environment.
When Channel Separation Is the Right Choice
For most contact centres, DTMF masking delivers the compliance outcome they need. Channel separation starts to earn its place in environments where regulatory requirements are especially strict (financial services, healthcare), where even masked DTMF tones could raise audit questions, or where the organisation wants the most defensible possible position in a PCI assessment.
Paytia supports channel separation for customers who need it.
Direct Comparison
| Feature | Pause and Resume | DTMF Masking | Channel Separation |
|---|---|---|---|
| Agent hears card data | Yes | No | No |
| Card data in call recording | Risk of yes | No | No |
| Relies on agent action | Yes | No | No |
| Continuous call recording | No (gaps) | Yes | Yes |
| Reduces PCI scope | Partially | Yes | Yes |
| Card data enters your infrastructure | Yes | No | No |
| Audit trail for compliance | Weak | Strong | Strongest |
| Available in Paytia | No | Yes | Yes |
The Compliance Reality
PCI DSS doesn't mandate a specific technical method for securing phone payments — it specifies outcomes. Card data mustn't be stored after authorisation. It has to be protected during transmission. The cardholder data environment has to be controlled and auditable.
Pause and resume can meet the letter of those requirements if implemented perfectly. The trouble is that "implemented perfectly" is hard to sustain across hundreds of agents and thousands of calls. A QSA reviewing your process will want evidence that it works consistently — not just a policy saying it should.
DTMF masking and channel separation take the human element out of compliance. The technology enforces the outcome, which means the QSA conversation gets a lot simpler.
What Customers Actually Experience
From a customer's point of view, being asked to key in card details instead of reading them aloud is usually a relief. People are increasingly uncomfortable saying their card number out loud on a call — they don't know if the agent's in a busy office, whether the call is being recorded, or if there's someone nearby who can hear. Pressing digits feels more private, because it is.
There's a practical upside too. Customers who mishear or misread a digit have to start again. Customers keying in digits tend to get it right first time, which means fewer failed payments and fewer callbacks.
Choosing the Right Approach
If you're using pause and resume today, the question isn't whether you should switch — it's when. The risk exposure and compliance complexity make it the wrong long-term answer for most contact centres.
DTMF masking is the right starting point for most businesses. Channel separation is worth considering if you're in a heavily regulated sector or want the strongest possible compliance position.
Paytia does both. Our platform plugs into your existing telephony — cloud contact centre, traditional PBX, VoIP — and handles the payment entirely within the secure channel. Agents stay on the call, recordings stay complete, and card data never enters your environment.
Want to see how it works on a call flow that looks like yours? Get in touch.
