Taking credit card payments over the phone is a routine part of business for thousands of UK organisations, from contact centres and insurance providers to local councils and medical practices. But the regulatory landscape governing these transactions is complex, and the consequences of non-compliance can be severe — from substantial fines to reputational damage and loss of the ability to process card payments altogether.
This guide sets out the key UK regulations that apply to paying over the phone with a credit card in the UK, explains what they mean in practice, and shows how modern payment technology can help you meet your obligations efficiently.
Is It Safe to Pay Over the Phone?
Yes — paying over the phone with a credit card is safe, provided the business you are dealing with follows proper security practices. Millions of legitimate phone payments are processed every day in the UK, and strong regulations exist specifically to protect both consumers and businesses.
The key factors that make a phone payment safe are:
- You initiated the call — You called the business on a verified number, rather than responding to an unsolicited call
- The business uses secure payment technology — Systems like DTMF masking ensure your card details are never heard, seen, or recorded by agents
- The business is PCI DSS compliant — This means they meet the global security standard for handling card data, with encryption, access controls, and regular testing
- Your card details are not stored unnecessarily — Reputable businesses process the payment and do not retain your full card number or CVV
Phone payments are classified as card-not-present transactions, which means additional safeguards are built into the regulatory framework. UK consumers also benefit from strong legal protections — including Section 75 of the Consumer Credit Act for credit card purchases over £100 and chargeback rights through the card networks.
Where phone payments become unsafe is when businesses cut corners on security: agents writing down card numbers, unencrypted call recordings capturing payment details, or outdated systems that leave data exposed. The regulations below exist precisely to prevent this, and choosing a business that takes compliance seriously is your best protection.
The Three Regulatory Pillars
UK businesses taking card payments over the phone must satisfy three overlapping regulatory frameworks. Understanding each one, and how they interact, is essential for building a compliant payment operation.
1. PCI DSS: The Payment Card Industry Data Security Standard
PCI DSS is the global security standard created by Visa, Mastercard, American Express, Discover, and JCB. It applies to every organisation that stores, processes, or transmits cardholder data — which includes any business taking payments over the phone.
What PCI DSS Requires
The standard comprises 12 core requirements organised into six categories:
- Build and maintain a secure network — Install and maintain firewalls, and do not use vendor-supplied default passwords
- Protect cardholder data — Encrypt stored card data and encrypt transmissions across open or public networks
- Maintain a vulnerability management programme — Use and regularly update anti-virus software, and develop secure systems and applications
- Implement strong access controls — Restrict access to cardholder data on a need-to-know basis, assign unique IDs to each person with access, and restrict physical access
- Monitor and test networks regularly — Track and monitor all access to network resources and cardholder data, and regularly test security systems
- Maintain an information security policy — Create and maintain a policy that addresses information security for all staff
PCI DSS Compliance Levels
Your compliance level depends on your annual transaction volume:
- Level 1 — Over 6 million transactions per year: requires an annual on-site audit by a Qualified Security Assessor (QSA) and quarterly network scans
- Level 2 — 1 to 6 million transactions: requires an annual Self-Assessment Questionnaire (SAQ) and quarterly network scans
- Level 3 — 20,000 to 1 million e-commerce transactions: requires an annual SAQ and quarterly scans
- Level 4 — Fewer than 20,000 e-commerce or up to 1 million total transactions: requires an annual SAQ
SAQ Types for Phone Payments
The Self-Assessment Questionnaire you need depends on how you handle card data:
- SAQ A — For businesses that have fully outsourced card data handling to a PCI-compliant third party. This is the simplest questionnaire with the fewest requirements. Businesses using Paytia’s secure payment platform can typically qualify for SAQ A
- SAQ C-VT — For businesses using a web-based virtual terminal to manually key in card details. More requirements than SAQ A but fewer than SAQ D
- SAQ D — The most comprehensive questionnaire, required when card data passes through your own systems. Contains over 300 individual requirements
The difference in effort between SAQ A and SAQ D is enormous. SAQ A has around 22 requirements; SAQ D has over 300. Choosing the right payment technology can be the single biggest factor in reducing your PCI DSS compliance burden.
Call Recording and PCI DSS
Call recording presents one of the biggest PCI DSS challenges for phone payment operations. If your call recordings capture card details, they become cardholder data that must be protected under the full weight of PCI DSS. This means recordings must be encrypted at rest and in transit, access must be strictly controlled and logged, recordings containing card data must be securely deleted when no longer needed, and your entire call recording infrastructure falls within PCI DSS scope.
The most practical solution is to prevent card data from entering recordings in the first place. DTMF masking technology achieves this by replacing keypad tones with flat tones during the payment portion of the call, so recordings never contain sensitive data.
2. FCA Consumer Duty
The Financial Conduct Authority’s Consumer Duty, which came into full effect in July 2023, imposes a higher standard of consumer protection across financial services. While it applies most directly to regulated firms, its principles are relevant to any business taking payments from consumers.
The Four Outcomes
Consumer Duty requires firms to deliver good outcomes for retail customers across four areas:
- Products and services — Products must be designed to meet the needs of identified target markets
- Price and value — Customers must receive fair value, and fees must be proportionate to the benefits provided
- Consumer understanding — Communications must be clear, fair, and not misleading, enabling customers to make informed decisions
- Consumer support — Customers must be able to pursue their financial objectives without unreasonable barriers, including when making payments
How Consumer Duty Applies to Phone Payments
For phone payment operations, Consumer Duty means:
- Transparency — You must clearly explain how the payment process works and what security measures protect the customer’s data
- Accessibility — Payment processes must be accessible to all customers, including those with disabilities or limited digital confidence
- Security communication — Agents should explain to customers how their card details are being protected, building confidence in the process
- Complaint handling — Clear, fair processes for handling payment disputes and complaints
By using secure payment technology and training agents to explain the security measures in place, businesses demonstrate compliance with Consumer Duty while simultaneously building customer trust.
3. UK GDPR and the Data Protection Act 2018
The UK General Data Protection Regulation and the Data Protection Act 2018, enforced by the Information Commissioner’s Office (ICO), govern how personal data — including payment card data — is collected, processed, and stored.
Key Principles for Phone Payments
- Lawfulness, fairness, and transparency — You must have a lawful basis for processing card data (typically the performance of a contract or legitimate interests) and be transparent about how data is used
- Purpose limitation — Card data collected for payment processing must not be used for other purposes without additional consent
- Data minimisation — Only collect the card data elements strictly necessary for the transaction
- Storage limitation — Do not retain card data longer than necessary. PCI DSS requires that full card numbers and CVV codes are never stored after authorisation
- Integrity and confidentiality — Card data must be protected against unauthorised access, loss, or destruction
- Accountability — You must be able to demonstrate compliance with all of the above principles
Data Breach Notification
Under UK GDPR, if a data breach involving card details occurs, you must notify the ICO within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms. You must also notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights. Fines for serious breaches can reach up to £17.5 million or 4% of annual global turnover, whichever is higher.
The simplest way to reduce breach risk is to keep card data out of your environment entirely. If you do not hold the data, you cannot lose it.
Additional Regulatory Considerations
Ofcom and Call Recording
Ofcom regulates telecommunications in the UK. Businesses recording calls must comply with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, which permit recording for purposes including regulatory compliance, quality control, and staff training. However, when recordings capture card data, PCI DSS requirements apply on top of Ofcom rules.
The Bribery Act 2010
While not directly about payments, the Bribery Act requires organisations to have adequate procedures to prevent bribery. In payment operations, this includes controls over staff access to financial data, segregation of duties, and audit trails — all of which overlap with PCI DSS and GDPR requirements.
Sector-Specific Regulations
Depending on your industry, additional rules may apply:
- Financial services — FCA rules on payment services, client money handling, and operational resilience
- Insurance — Solvency II requirements and FCA insurance conduct rules
- Healthcare — NHS Digital standards and Caldicott principles for patient data
- Local government — Public sector procurement regulations and transparency requirements
Practical Steps to Achieve Compliance
Meeting all these regulatory requirements can seem daunting, but a structured approach makes it manageable:
Step 1: Assess Your Current Position
Map your current phone payment process end to end. Identify every point where card data is collected, transmitted, processed, or stored. Understand which systems and personnel are in scope for PCI DSS.
Step 2: Reduce Your Scope
The single most effective action is to remove card data from your environment. Using a solution like Paytia’s secure payment platform means card data never touches your network, desktops, or call recordings — dramatically reducing PCI DSS scope and GDPR risk simultaneously.
Step 3: Implement Appropriate Technology
- DTMF masking for phone payments — keeps card data out of call recordings and agent environments
- Secure payment links for situations where customers can complete payment digitally
- Agent Assist to maintain the human touch while keeping card data secure
- Tokenisation for recurring payments, eliminating the need to store card numbers
Step 4: Train Your Staff
Ensure all staff handling phone payments understand PCI DSS requirements and their role in compliance, how to explain security measures to customers (supporting Consumer Duty), data protection obligations under UK GDPR, and how to recognise and report potential security incidents.
Step 5: Document and Evidence
Maintain thorough documentation including your PCI DSS Self-Assessment Questionnaire, data protection impact assessments, staff training records, incident response procedures, and regular compliance review records.
How Paytia Helps You Meet All Three Regulatory Frameworks
Paytia’s secure payment platform is designed specifically to help UK businesses navigate the regulatory landscape for phone payments:
- PCI DSS — Paytia is PCI DSS Level 1 certified. By keeping card data entirely out of your environment, you can qualify for the simplest SAQ A assessment, reducing your compliance requirements by up to 85%
- FCA Consumer Duty — Paytia’s transparent, customer-friendly payment process supports clear communication, accessible service, and demonstrable security
- UK GDPR — Because card data never enters your systems or call recordings, your data protection risk and breach notification obligations are dramatically reduced
Our solutions integrate seamlessly with your existing telephony and business systems, meaning you can achieve compliance without rebuilding your infrastructure.
Ready to simplify your regulatory compliance? Book a demo or contact Paytia today for a free regulatory review of your current phone payment process.