UK Phone Payment Regulations 2026

Taking a card payment over the phone in the UK isn't just a commercial transaction — it's an activity that sits at the intersection of three separate regulatory frameworks, each with its own requirements and its own enforcement body. Get this right and you're protecting your customers, limiting your liability, and building a payment process you can stand behind. Get it wrong and you're looking at potential PCI fines from your acquirer, ICO enforcement action, and FCA scrutiny depending on your business type. If you want a more general view of the UK regulatory landscape around phone card payments, see our companion piece on UK regulations for taking card payments by phone, and compliance in the financial services industry for the wider picture.

This guide works through what each framework actually requires, where they overlap, and what a compliant telephone payment process looks like in practice. If you want the operational companion piece rather than the regulatory one, see accepting credit card payments over the phone securely and implementing a secure phone payment system.

PCI DSS: The Payment Card Industry Standard

PCI DSS is the baseline requirement for any business that accepts card payments. It's not UK law — it's a standard set by the card schemes (Visa, Mastercard, Amex, and others) through a body called the Payment Card Industry Security Standards Council. But compliance is effectively mandatory because it's built into your merchant agreement with your acquiring bank. Fail to comply and your acquirer can fine you, increase your transaction fees, or in serious cases withdraw your card acceptance facility.

For telephone payments specifically, PCI DSS requires controls around how card data is captured, transmitted, and stored. The standard doesn't prescribe exactly how you take a telephone payment — but it does require that you can demonstrate card data is protected at every point it exists in your environment.

The most immediate implication for call-based payments is around call recordings. PCI DSS requirement 3.3.2 explicitly states that sensitive authentication data — which includes the three or four digit CVV/CVC on the back of a card — must not be stored after authorisation. If your call recordings capture a customer reading out their CVV, those recordings technically contain sensitive authentication data, and you need to ensure either that the CVV is redacted from the recording or that the recordings are handled under strict security controls.

PCI DSS 4.0.1, which became mandatory in March 2025, goes further. It includes explicit requirements around DTMF tones — the sounds generated when a customer presses digits on their phone keypad. If your system captures DTMF tones in call recordings, those may contain card data and must be treated accordingly. This was a new addition in 4.0.1 and catches out businesses whose telephony systems log raw audio including keypress tones.

The version of the Self-Assessment Questionnaire you need to complete depends on how you handle card data. If agents take card numbers verbally and enter them into a system, you're almost certainly completing SAQ D — the longest and most demanding version, covering around 329 controls. Businesses that use a DTMF-based system where card digits go directly to a certified payment processor, and never pass through the agent or your internal network, can typically file a much shorter questionnaire.

FCA: The Financial Conduct Authority

The FCA regulates payment services and financial products in the UK. Not every business that takes card payments is directly regulated by the FCA — if you're a retailer accepting cards in payment for goods or services, you're typically not an FCA-regulated entity. But you still fall under the FCA's remit indirectly, through the payment institutions that process your transactions, and the FCA's broader consumer protection expectations affect how payments should be handled.

The most directly relevant FCA requirement for telephone payments is the Consumer Duty, which came into force in July 2023. It requires firms to act to deliver good outcomes for retail customers — including during payment processes. For telephone payments, this translates into a requirement to ensure that customers have a clear understanding of what's happening when they pay, that the process is secure, and that you're not creating barriers or confusion that disadvantage them.

Strong Customer Authentication (SCA) is another FCA requirement introduced through the Payment Services Regulations 2017, which implemented the EU's PSD2 directive into UK law. SCA requires that electronic payments above certain thresholds use two-factor authentication — something the customer knows, something they have, or something they are. MOTO payments — telephone orders — are explicitly exempt from SCA requirements under the regulations, because the customer initiates the payment during a live call rather than through an electronic interface. However, this exemption comes with the expectation that other fraud controls are in place. Relying on the MOTO exemption without any fraud mitigation is not something acquirers or the FCA would view favourably.

FCA-regulated businesses — insurance brokers, financial advisers, consumer credit firms — face additional obligations. Their customer communications, including telephone payment processes, must meet the FCA's fair treatment requirements. If you're regulated, your telephone payment procedures should be reviewed against your FCA permissions and the applicable sourcebook provisions.

UK GDPR and the Data Protection Act 2018

Card data is personal data under UK GDPR. That makes your card payment process subject to data protection law, enforced by the Information Commissioner's Office (ICO). The obligations this creates are substantial and often underestimated.

The most fundamental requirement is data minimisation: you should only collect and retain card data you actually need. For telephone payments, this typically means that card data should be used to process the transaction and then not retained in your systems. If your call recording platform is storing recordings that contain spoken card numbers, you're retaining card data for as long as those recordings exist — and you need a lawful basis and appropriate security controls for doing so.

UK GDPR also requires appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, and destruction. For card data specifically, this reinforces the PCI DSS requirement for encryption and access control — but it goes beyond the card number itself to include any data that could be used to identify the cardholder.

The accountability principle under UK GDPR requires you to be able to demonstrate compliance. That means documentation: data flow maps showing where card data goes, data protection impact assessments (DPIAs) where processing is high-risk, and records of processing activities. If the ICO investigates a complaint about how you handled payment data, your ability to show documented compliance procedures matters.

Call recordings that contain payment data deserve particular attention. They're a significant source of risk because recordings are often retained for extended periods, shared with quality assurance teams, or accessible to third-party platform providers. Each of those access points is a potential data breach source. UK GDPR requires that access is limited to those with a genuine need, and that third parties who access the data are bound by appropriate data processing agreements.

UK phone merchants must honour refunds and remedies under the Consumer Rights Act, on top of card scheme rules.

Call Recording Regulations

There are specific rules about recording telephone calls in the UK, sitting across several pieces of legislation. Under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, businesses can record calls for certain legitimate purposes — quality monitoring, training, and regulatory compliance — without needing explicit consent for each recording, provided customers are informed that calls may be recorded.

That "informed" requirement matters when payment data is involved. Customers who are told their call is being recorded should be aware of what that means for their card data. A business that tells customers calls are recorded but doesn't tell them what happens to their card details in those recordings is arguably not giving customers the information they need to make informed decisions — which creates tension with both the Consumer Duty and UK GDPR transparency requirements.

The practical solution most businesses have tried is pause-and-resume: stopping the recording while the customer reads card details, restarting it afterwards. The problem is that this depends on agents remembering to pause, and when they forget — which happens — card data enters the recording archive. A technical solution that prevents card data from reaching the audio channel in the first place is more reliable than a procedural one.

Consumer Protection Legislation

Beyond the FCA's Consumer Duty, telephone payment processes must comply with the Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013. The Consumer Contracts Regulations are particularly relevant for telephone orders: they require that customers are given clear information about what they're buying and the total price before the contract is concluded. For telephone payments, this means the agent must clearly confirm the amount, the goods or services being paid for, and the payment terms before taking card details.

Customers also have cancellation rights for distance contracts, including telephone orders, under the Consumer Contracts Regulations. The exact rights depend on what's being sold — goods, digital content, or services — but businesses need to have clear policies and inform customers of those rights at the point of sale.

How These Frameworks Interact

PCI DSS, UK GDPR, and FCA requirements don't exist in isolation. They reinforce each other in important ways. A call recording that contains a card number is a PCI DSS problem (it may contain sensitive authentication data), a UK GDPR problem (it's personal data requiring protection), and potentially an FCA Consumer Duty issue (does the customer know this?). Solving the recording problem addresses all three simultaneously.

Paytia's DTMF masking approach prevents card data from entering the audio channel at all, which means it can't appear in recordings regardless of whether agents remember to pause. That single technical control addresses the intersection of PCI DSS recording requirements, UK GDPR data minimisation, and call recording regulations in one step.

Because Paytia is a PCI DSS Level 1 certified Service Provider, our infrastructure handles the card data processing under our own certification. Businesses using Paytia for telephone payment capture reduce their PCI scope significantly, which also reduces the surface area of their UK GDPR data protection obligations — because the sensitive data doesn't pass through their environment.

Practical Steps for Compliance

If you're taking card payments by phone and haven't done a formal review of your compliance position, now is a reasonable time to do one. The March 2025 deadline for PCI DSS 4.0.1 has passed, which means the new requirements around DTMF tones and call recording controls are now mandatory. Businesses that haven't addressed these yet are already non-compliant with the current version of the standard.

Start by mapping where card data currently flows in your telephone payment process. Include every system that could touch it: your telephony platform, your call recording archive, your payment terminal, your CRM, any workforce management or quality monitoring tools. Once you've mapped it, look at what each of those systems does with the data and what controls you have in place.

From there, the question is what you need to change. For most businesses, the biggest gap is in the call recording and agent handling of card data. If agents are hearing and entering card numbers, that needs to change — both for PCI DSS 4.0.1 compliance and for UK GDPR data minimisation. A DTMF-based approach resolves both.

If you'd like to understand your specific position, speak with us. We can walk through your current telephone payment process and explain exactly what the regulatory requirements mean for your setup.