Every day, thousands of UK contact centres process card payments over the telephone. Agents collect card numbers, expiry dates, and CVV codes from callers — and in doing so, expose their organisations to a web of security, compliance, and reputational risk that many underestimate until something goes wrong.
This guide explains the full landscape of phone payment security for UK contact centres. We cover the specific risks, the regulatory framework you must navigate, the technologies available to protect card data, how to implement them, and a practical checklist you can use to assess your current position. Whether you run a 10-seat customer service team or a 500-seat outsourced operation, the principles and obligations are the same.
Why Phone Payment Security Matters More Than Ever
Telephone payments remain one of the most common payment channels for UK businesses. Insurance renewals, utility bills, charity donations, government fees, and retail orders are all routinely paid by phone. According to UK Finance, card-not-present transactions — which include telephone payments — continue to grow year on year, and so does the fraud targeting them.
Contact centres are particularly attractive targets for fraudsters and data thieves because they concentrate large volumes of card data in a single environment. Every agent who hears a card number, every screen that displays one, every call recording that captures one, and every network that transmits one represents a potential point of compromise.
The consequences of a breach are severe. Under the Payment Card Industry Data Security Standard (PCI DSS), organisations that fail to protect cardholder data face fines from the card schemes (Visa, Mastercard, Amex), increased transaction fees, mandatory forensic investigations at their own expense, and potential loss of the ability to accept card payments altogether. Beyond the financial penalties, the reputational damage can be catastrophic — customers do not return to businesses they no longer trust with their money.
The Regulatory Framework: PCI DSS, FCA, and GDPR
PCI DSS — The Payment Card Industry Data Security Standard
PCI DSS compliance is mandatory for every organisation that stores, processes, or transmits cardholder data. There are no exemptions based on size, sector, or transaction volume. If your agents handle card details over the phone, PCI DSS applies to your entire telephony and IT environment that touches that data.
PCI DSS is structured around twelve core requirements covering network security, access controls, encryption, monitoring, vulnerability management, and security policies. The standard is maintained by the PCI Security Standards Council and enforced by the card brands through acquiring banks.
Your compliance obligations are determined by your PCI DSS level, which is based on annual transaction volume. Most contact centres fall into Level 3 or Level 4, requiring completion of a Self-Assessment Questionnaire (SAQ). The specific SAQ you need depends on how card data flows through your environment — and this is where the choice of payment technology makes an enormous difference.
If agents type card details into a web-based virtual terminal, you typically need SAQ C or the far more demanding SAQ D, which can involve over 300 individual controls. If you use a technology that prevents card data from entering your environment altogether — such as DTMF masking — you may qualify for SAQ A, the simplest questionnaire with roughly 30 controls. The difference in cost, effort, and ongoing burden is substantial.
FCA Consumer Duty
The Financial Conduct Authority’s Consumer Duty, which came into force in July 2023, requires regulated firms to deliver good outcomes for customers. For contact centres in financial services, insurance, and debt collection, this means payment processes must be fair, transparent, and free from unnecessary barriers. Insecure payment methods that cause delays, require customers to repeat sensitive information, or create friction are increasingly difficult to justify under Consumer Duty expectations.
GDPR and the Data Protection Act 2018
Card payment data constitutes personal data under GDPR. If your contact centre records calls — as most do — and those recordings capture card numbers spoken aloud by customers, you are storing personal and financial data in your call recordings. This creates obligations around data retention, access controls, subject access requests, and breach notification. The Information Commissioner’s Office (ICO) can impose fines of up to £17.5 million or 4% of global turnover for serious data protection failures.
Where the Risks Actually Sit
Understanding where card data is exposed in a traditional telephone payment process is essential to addressing the problem. Here are the main risk areas in a typical contact centre.
The agent
In a conventional phone payment, the customer reads their card number aloud, and the agent either types it into a system or writes it down. The agent sees and hears the full card number, expiry date, and CVV. Even with the best policies, background checks, and training, human access to card data creates risk. Internal fraud, social engineering, and simple mistakes — such as writing a card number on a sticky note — are well-documented causes of data compromise in contact centres.
Call recordings
Most contact centres record calls for quality assurance, training, and dispute resolution. If a customer reads their card details aloud during a recorded call, those details are embedded in the audio file. This means your call recording system, its storage infrastructure, and anyone with access to play back recordings becomes part of your PCI DSS scope. Pausing and resuming recordings around payment capture is a common workaround, but it is unreliable — agents forget, the timing is imprecise, and the gap in recording can itself create compliance issues if a dispute arises about what was said during the unrecorded portion.
Screens and workstations
When an agent keys card data into a browser-based virtual terminal or CRM payment screen, the card number is visible on the monitor. In open-plan contact centre environments, this creates “shoulder surfing” risk — other agents, visitors, or cleaning staff could see the screen. The data also transits through the workstation’s operating system, keyboard buffer, browser, and local network, each of which falls within PCI DSS scope.
The network
Card data transmitted across your internal network — from the agent’s workstation to a payment gateway, for example — must be encrypted in transit. This extends to VPNs used by remote and home-working agents, Wi-Fi networks, and any proxy or firewall that inspects traffic. Every network device that card data passes through must be secured, patched, monitored, and included in your PCI DSS assessment.
Home and remote working
The shift to hybrid and remote working since 2020 has multiplied these risks. Agents working from home may use personal Wi-Fi networks, shared computers, or work in environments where family members can overhear calls. Extending PCI DSS controls to every agent’s home is impractical and expensive. The only realistic solution is to remove card data from the agent’s environment entirely.
Technologies That Protect Phone Payments
Several technologies exist to reduce or eliminate the exposure of card data in contact centre telephone payments. The two most widely adopted approaches are DTMF masking and channel separation.
DTMF Masking (Tone Suppression)
DTMF masking, also known as DTMF suppression, is the most widely deployed technology for securing telephone payments in UK contact centres. Here is how it works:
- The agent initiates a payment during a live call.
- The customer is prompted to enter their card number, expiry date, and CVV using their telephone keypad.
- The DTMF tones generated by the keypad presses are intercepted by the payment platform before they reach the agent or the call recording system.
- The tones are replaced with flat, uniform tones — the agent hears a sound confirming keys are being pressed but cannot identify which digits were entered.
- The actual card data is routed directly to a PCI DSS Level 1 certified payment gateway, bypassing the agent’s workstation, the contact centre network, and the call recording infrastructure entirely.
- The agent’s screen shows progress indicators (e.g., how many digits have been entered) without ever displaying the card number.
- Once the payment is authorised, both the agent and the customer receive confirmation.
The key advantage of DTMF masking is that it removes the entire contact centre environment from PCI DSS scope. Card data never enters your network, never appears on a screen, is never heard by an agent, and is never captured in a call recording. This typically allows businesses to complete SAQ A — the simplest PCI compliance assessment — rather than SAQ C or D.
Crucially, the agent remains on the line throughout the payment. There is no transfer to an IVR, no break in conversation, and no loss of the human connection that makes telephone payments work for customers who need guidance or reassurance.
Channel Separation
Channel separation takes a different approach. Instead of the customer entering card details during the phone call, the agent sends the customer a secure payment link — via SMS, email, or messaging app — while the call is still in progress. The customer opens the link on their own device (smartphone, tablet, or computer) and enters their card details on a hosted payment page.
Channel separation achieves the same fundamental goal as DTMF masking: card data never enters the contact centre environment. The payment page is hosted by the payment provider, so the customer’s card details go directly from their device to the provider’s PCI DSS Level 1 certified infrastructure.
Channel separation has additional benefits: it natively supports 3D Secure authentication (Strong Customer Authentication), it works with digital wallets like Apple Pay and Google Pay, and it gives the customer a visual interface for entering their details rather than relying on keypad input. The agent stays on the call to assist if needed but never handles card data.
Choosing Between DTMF Masking and Channel Separation
Both technologies are effective and PCI-compliant. The best choice depends on your customers and your operation:
- DTMF masking is ideal when customers prefer to stay entirely within the phone call, when callers are less comfortable with technology, or when the payment needs to be completed immediately without the customer needing a separate device.
- Channel separation is ideal when you want to offer 3D Secure authentication, support digital wallets, or give customers the option to pay after the call ends.
- Many organisations offer both, letting the agent choose the most appropriate method for each customer and situation.
Approaches to Avoid
Some older methods of handling phone payment security are no longer considered adequate:
- Pause-and-resume call recording — Unreliable in practice, does not address agent access to card data, and creates gaps in recordings that undermine quality assurance and dispute resolution.
- Clean rooms — Physically segregating payment agents in separate rooms with no phones, pens, or personal devices. Expensive, operationally disruptive, and does not address digital exposure through screens and networks.
- Post-call IVR transfer — Transferring the customer to an automated IVR to enter card details after the agent conversation ends. This breaks the customer experience, increases abandonment rates, and removes the agent’s ability to help if something goes wrong.
Implementation: How to Secure Phone Payments in Practice
Deploying secure phone payment technology is more straightforward than many organisations expect. Here is a practical overview of what is involved.
Step 1: Assess your current state
Map how card data currently flows through your contact centre. Identify every system, person, and process that touches cardholder data — from the moment the customer speaks their card number to the point the transaction is confirmed. This includes agents, workstations, networks, VPNs, call recording systems, CRM platforms, and any paper-based processes.
Step 2: Choose your technology
Select a payment security provider that offers DTMF masking, channel separation, or both. Evaluate providers against these criteria:
- PCI DSS Level 1 certification (validated by an independent QSA)
- Compatibility with your existing telephony platform (on-premise PBX, cloud telephony, Microsoft Teams, etc.)
- Integration with your payment gateway and acquiring bank
- Support for your CRM or business applications
- Deployment model (cloud-based is fastest and most flexible)
- UK-based support and onboarding
Step 3: Integrate with your telephony
Cloud-based DTMF masking solutions typically integrate via SIP trunking or API, meaning no hardware needs to be installed in your contact centre. For organisations using cloud telephony platforms like Microsoft Teams, 8x8, RingCentral, or Genesys, integration is usually a configuration exercise rather than a development project. On-premise PBX systems (Avaya, Cisco, Mitel) can also be supported through SIP-based connections.
Step 4: Configure and test
Work with your provider to configure payment flows, agent interfaces, and reporting. Test thoroughly with your team before going live — including edge cases such as failed payments, timeouts, and customers who need to re-enter details.
Step 5: Train your agents
Agent training is critical. Agents need to understand how the payment process works, how to guide customers through keypad entry or payment link completion, and what to do if something goes wrong. Good training also reinforces why the technology exists — protecting both the customer and the agent from the consequences of a data breach.
Step 6: Update your PCI DSS documentation
Once card data no longer enters your contact centre environment, you can reclassify your PCI DSS scope and move to a simpler SAQ. Work with your acquiring bank or a Qualified Security Assessor to confirm your new compliance position and complete the appropriate questionnaire.
Real-World Impact: What Secure Phone Payments Deliver
Organisations that implement DTMF masking or channel separation consistently report tangible benefits beyond compliance:
- Reduced PCI DSS scope and cost — Moving from SAQ D (300+ controls) to SAQ A (approximately 30 controls) can save tens of thousands of pounds annually in audit, remediation, and operational overhead.
- Enabled home and hybrid working — When card data never enters the agent environment, agents can work from any location without extending PCI controls to their home network.
- Improved customer experience — Customers no longer need to read their card number aloud, and the payment is completed seamlessly within the call. No transfers, no IVR menus, no follow-up.
- Lower fraud and breach risk — Eliminating human access to card data removes the most common vector for internal fraud and social engineering attacks in contact centres.
- Faster payment completion — Streamlined payment flows reduce average handling time, freeing agents to handle more calls.
- Uninterrupted call recording — With DTMF masking, call recordings continue throughout the payment without capturing card data. This preserves the full record for quality assurance and dispute resolution.
Phone Payment Security Checklist for UK Contact Centres
Use this checklist to assess your current phone payment security posture:
- Card data exposure: Can agents see, hear, or access card numbers during a payment? If yes, your PCI DSS scope includes the entire agent environment.
- Call recordings: Do your call recordings capture card details spoken by customers? If yes, your recording infrastructure is in PCI scope.
- SAQ level: Which SAQ are you currently completing? If it is SAQ C or D, there is significant scope to simplify.
- Home workers: Do any agents take payments from home? If yes, how are you extending PCI controls to their environment?
- Pause-and-resume: Are you relying on pause-and-resume call recording as a security measure? If yes, this is not a robust long-term solution.
- Technology in place: Do you use DTMF masking, channel separation, or both? If neither, card data is flowing through your environment.
- Payment provider certification: Is your payment technology provider PCI DSS Level 1 certified? Can they provide their Attestation of Compliance?
- Agent training: Have agents been trained on secure payment procedures within the last 12 months?
- Incident response: Do you have a documented plan for responding to a payment data breach?
- Regular review: When did you last review your phone payment processes against PCI DSS requirements?
How Paytia Secures Phone Payments for UK Contact Centres
Paytia provides purpose-built secure telephone payment solutions for UK contact centres, combining DTMF suppression and channel separation in a single platform.
- PCI DSS Level 1 certified — Validated annually by an independent Qualified Security Assessor. Card data is processed entirely within Paytia’s certified infrastructure.
- DTMF masking — Agents stay on the call while customers enter card details via their keypad. Tones are masked in real time; card data never reaches the agent, the workstation, or the call recording.
- Secure payment links — Send customers a branded payment link during or after the call. Supports 3D Secure, Apple Pay, Google Pay, and card-not-present payments.
- Works with any telephony — Cloud, on-premise, or hybrid. Compatible with Microsoft Teams, 8x8, RingCentral, Genesys, Avaya, Cisco, and more.
- No hardware required — Fully cloud-based deployment. Agents need only a phone and a web browser.
- Real-time dashboards and reporting — Full visibility of payment status, transaction history, and agent activity.
- UK-based support — Onboarding, training, and ongoing support from a UK team that understands contact centre operations.
If your contact centre takes card payments over the phone and you want to remove card data from your environment, reduce your PCI DSS compliance burden, and improve the payment experience for your customers, book a demo with Paytia or get in touch to discuss your requirements.
Further reading: DTMF masking glossary | PCI DSS glossary | Card-not-present glossary | DTMF suppression solutions | Channel separation solutions