Taking card payments over the phone means accepting a customer’s credit or debit card details verbally during a telephone call and processing the transaction through a payment gateway. In the UK, businesses that take phone payments must comply with PCI DSS, FCA consumer duty rules, and UK GDPR. Done correctly, paying over the phone with a credit card is safe for both the business and the customer. Done poorly, it exposes card data to fraud, regulatory fines, and reputational damage.
This guide covers the regulations, security requirements, and practical steps for processing credit card payments over the phone in the UK.
Who needs to read this?
Any UK business that takes card payments over the phone. That includes contact centres, utilities, councils, healthcare providers, charities, insurance firms, and any company with a sales or accounts team that handles payments by card over the phone. If a member of your staff hears, writes down, or types a card number during a call, this applies to you.
UK regulations for taking card payments over the phone
Three regulatory frameworks govern telephone card payments in the UK:
1. PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS applies to every organisation that processes, stores, or transmits cardholder data. For phone payments, the key requirements are:
- Never store full card numbers, CVVs, or PINs after authorisation
- Encrypt card data in transit between your systems and your payment processor
- Restrict access to cardholder data to only those staff who need it
- Remove card data from call recordings — recording a full card number violates PCI DSS
- Log and monitor all access to network resources and cardholder data
The current standard is PCI DSS v4.0.1, which tightened requirements around authentication, encryption, and continuous monitoring. Non-compliance can result in fines of up to £500,000 per incident from card schemes, plus liability for any fraud losses.
2. FCA Consumer Duty
The Financial Conduct Authority’s Consumer Duty (effective July 2023) requires firms to act in the best interests of customers. For phone payments, this means:
- Clearly explaining how the payment will be processed
- Giving customers confidence that their card details are handled securely
- Not pressuring customers into sharing card data in ways that feel unsafe
Businesses that can demonstrate secure payment handling — such as using DTMF suppression technology — are better positioned to meet consumer duty expectations.
3. UK GDPR and the ICO
Card details are personal data under UK GDPR. The Information Commissioner’s Office (ICO) expects businesses to apply data minimisation: collect only what is needed, retain it only as long as necessary, and protect it with appropriate technical measures. Removing card data from call recordings is a practical step that reduces breach risk and satisfies data protection requirements.
Is it safe to pay over the phone?
Yes, paying by card over the phone is safe when the business uses proper security controls. The risk comes not from the payment method itself, but from how the business handles card data during and after the call.
Common risks include:
- Staff hearing card details — creates insider fraud risk and broadens PCI scope
- Card numbers in call recordings — a data breach waiting to happen
- Manual keying into terminals — card data passes through uncontrolled systems
- Handwritten notes — physical card data that can be lost, stolen, or photographed
The safest approach is to remove your staff and systems from the card data flow entirely. This is exactly what DTMF masking achieves.
What is DTMF masking and why does it matter?
DTMF (Dual-Tone Multi-Frequency) masking, also called DTMF suppression, is a technology that lets customers enter their card details using their phone keypad during a call. The DTMF tones are intercepted and replaced with flat tones so the agent cannot hear or identify the digits. The card data is routed directly to the payment processor without touching your network.
This approach:
- Keeps the agent on the line throughout — no awkward call transfers or pauses
- Removes card data from your call recordings automatically
- Descopes your contact centre from PCI DSS — significantly reducing compliance cost and audit burden
- Eliminates insider fraud risk from staff handling card numbers
Paytia’s secure telephone payment platform uses DTMF suppression to deliver exactly this. The customer stays on the call, the agent stays in control, and card data never enters your environment.
How to take card payments over the phone safely: step by step
- Choose a PCI-compliant payment solution. Select a provider like Paytia that handles card data outside your infrastructure, reducing your PCI scope.
- Stop writing down card numbers. If agents are noting card details on paper or in spreadsheets, this must stop immediately. It violates PCI DSS and creates unnecessary risk.
- Remove card data from call recordings. Use DTMF masking so recordings never contain card numbers or CVVs.
- Train your staff. Every person involved in phone payments must understand PCI requirements and know what they must not do with card data.
- Review your processes regularly. PCI DSS v4.0.1 expects continuous compliance, not just annual assessments.
How to process credit card payments over the phone with Paytia
Paytia integrates with your existing telephony and payment gateway. Here is how a typical payment call works:
- The agent initiates a payment during the call through Paytia’s interface
- The customer is prompted to enter their card details using their phone keypad
- DTMF tones are masked in real time — the agent hears only flat tones
- Card data is sent directly to the payment processor via a PCI DSS Level 1 certified channel
- The agent receives confirmation of the payment outcome and continues the call
No card data enters your network. No card data appears in recordings. No additional PCI infrastructure required.
Common mistakes when taking credit cards over the phone
- Asking customers to read out full card details while the call is recorded — this stores card data in breach of PCI DSS
- Using pause-and-resume recording — unreliable in practice and still exposes data to the agent
- Assuming small volumes mean PCI doesn’t apply — PCI DSS applies regardless of transaction volume
- Relying on staff discipline alone — technical controls are required, not just policies
Frequently asked questions
Is it legal to take card payments over the phone in the UK?
Yes. Taking card payments over the phone is legal provided you comply with PCI DSS, UK GDPR, and (where applicable) FCA consumer duty requirements.
Do I need to be PCI compliant to take phone payments?
Yes. Any business that processes card payments in any channel, including by telephone, must comply with PCI DSS. There are no exemptions based on size or volume.
What is the safest way to take payments over the phone?
The safest method is to use DTMF suppression technology so card data never reaches your staff or systems. This descopes your environment from PCI DSS and eliminates the main fraud risks associated with phone payments.
Can I record calls where card payments are taken?
You can record the call, but card data must not be present in the recording. DTMF masking handles this automatically by replacing card entry tones with flat sounds before they reach the recording system.
Ready to make your phone payments secure and compliant? Book a demo with Paytia or contact our team to discuss your requirements.
Ready to Secure Your Payment Processing?
Paytia provides secure, PCI DSS compliant payment solutions that protect your business and customers. Learn how we can help you reduce compliance burden while improving security.