Telephone Payments

Secure phone payments — live, PCI-compliant card capture with your agents

Live-agent phone payments without the card data exposure. Your agents stay on the call, the customer enters digits on their own keypad, and Paytia keeps the card number out of agent earshot, off your screens, and out of your call recordings. PCI scope drops from SAQ D (329 controls) to SAQ A (22). Two approaches — DTMF Masking and Channel Separation — both PCI DSS Level 1 certified. Looking for self-service phone payments instead? See our IVR payments page.
Request a DemoTalk to Sales

Two ways to take a secure phone payment

Both keep card data out of your business and drop you to SAQ A. The main difference is what your agents need to learn — with Channel Separation, nothing. With DTMF Masking, one click per call. Compare them side by side.

Single channelOne-click capture per call

DTMF Masking

Agent stays on the line throughout. Tones are masked in the live audio so the agent doesn't hear the digits but can keep talking the customer through. Agents press one button to start the capture, then watch a progress indicator — a small behaviour change, not real training.

Pick this if your agents handle complex calls and need to stay engaged through the payment step.

Read about DTMF Masking →
Two channelsZero agent training

Channel Separation

Agent's audio goes off-line during capture. Voice prompts run the flow on the customer leg and the call reconnects when the payment authorises. The agent does nothing during the payment step — the platform drives the whole thing — so there's nothing to learn and no new behaviour to enforce.

Pick this ifyou want zero agent training, your compliance team wants a hard physical separation for audit, or you'd rather agents had no involvement at all.

Read about Channel Separation →
Most-read pages

Taking card payments by phone — start here

Three short guides most customers read before they book a demo.

MOTO

MOTO Payments

Mail Order / Telephone Order: any card payment where neither the card nor the customer is with you. How to take them without the PCI scope.

Read about MOTO payments →
Live call

Agent-Assisted Payments

Your agent stays on the call while the customer keys their card. The conversation never breaks, the card data never arrives.

Read about agent-assisted payments →
Buyer's guide

Taking Card Payments Over the Phone

The three ways to do it, what goes wrong with the obvious way, and how to pick the right approach for your calls.

Read the guide →

Other phone-payment products

The patterns above cover most of what businesses ask for. These fill in the rest.

IVR Payments

Automated 24/7 phone payments — no agent on the line, no card data on your systems.

Learn more

Mobile Payments

Take secure card payments from any smartphone or tablet. No card reader, no app to ship.

Learn more

Outbound Payments

You dial the customer for collections, renewals, or chase — and take the payment on the same call.

Learn more

Payment Chase

Automated payment reminders by email and SMS with smart scheduling and pay-now links.

Learn more

Why take phone payments through Paytia

Phone payments are still where most businesses leak PCI scope. If you take card payments over the phoneand your agents hear the numbers, your call recordings probably capture them, and once that happens PCI DSS starts applying to most of your contact centre — not just the payment step. Pause-and-resume recording is fragile, secure rooms don't work for hybrid teams, and sending customers to a separate link kills the call.

Paytia sits between your phone system and your payment gateway, and we've been running secure phone paymentsfor UK contact centres since 2016. When it's time to pay, the customer enters their card on their own keypad. We either suppress the tones in the live audio (DTMF Masking) or split the call into two channels during capture (Channel Separation) — either way, your agent never hears the digits, your recording captures nothing sensitive, your systems never touch the card. The payment processes through your existing gateway (Stripe, Barclaycard, Worldpay, Adyen, Tyl by NatWest, Ryft, and others), so you don't switch merchant accounts.

Most customers are live within days. PCI scope drops from SAQ D (329 controls) to SAQ A (22 controls), and the call experience stays the same for your customers.

Frequently asked questions

How do I make telephone payments PCI compliant?

You make telephone payments PCI compliant by keeping card data out of the places PCI DSS cares about — your agents, your phone system, and your call recordings. The simplest route is to capture the digits on the customer's own keypad and route them straight to your payment gateway, so the card number, expiry and CVV never enter your environment. Paytia does this two ways: DTMF Masking strips the keypad tones from the live audio on an agent call, and Channel Separation splits the call into two channels during capture. Either approach typically drops your assessment from SAQ D (329 controls) to SAQ A (22), and both run on PCI DSS Level 1 certified infrastructure.

What is the safest way to take card payments over the phone?

Capture the card on the customer's own phone keypad and route it straight to your payment gateway, so the digits never reach your agent, your call recording, or your systems. Paytia does this two ways: DTMF Masking strips the keypad tones from the live audio, and Channel Separation splits the call into two channels during capture. Both drop PCI scope from SAQ D (329 controls) to SAQ A (22 controls) and are PCI DSS Level 1 certified.

What are MOTO payments and how does Paytia handle them?

MOTO — Mail Order / Telephone Order — is any card payment where the customer isn't physically present and the transaction is taken by an agent over the phone or from a posted or emailed order form. MOTO is card-not-present, exempt from Strong Customer Authentication under PSD2, and the merchant carries the full fraud liability if a chargeback comes in. Paytia keeps your MOTO setup simple: the customer enters their card on their own keypad during the call, DTMF Masking or Channel Separation keeps it off your systems, and the payment runs through your existing gateway. Your PCI scope drops, your fraud exposure on each transaction stays no higher than any properly-captured MOTO payment, and your agents never handle the digits.

Is Paytia a virtual terminal?

Not in the old sense. A traditional virtual terminal is a web form the agent types the customer's card number into, which means the agent's keyboard, browser, workstation and network all sit inside your PCI cardholder data environment — and you're usually on SAQ C-VT (about 80 controls) as a result. Paytia flips that model. The customer enters the card on their own phone keypad, the tones are masked before they reach the agent or the recording, and the digits go straight to the payment gateway. You get the browser-based convenience of a virtual terminal without the agent ever seeing or typing card data, and most customers drop to SAQ A (22 controls) instead of SAQ C-VT or SAQ D.

What is DTMF masking?

DTMF masking replaces the keypad tones (dual-tone multi-frequency signals) in a live call with silence or a flat tone, so anyone listening — agent, call recording, or anyone nearby — can't identify the digits being pressed. The customer types normally on their handset; the tones just don't reach the audio stream. It's how Paytia's DTMF Masking keeps card numbers out of your contact centre.

How does Paytia keep card data away from my agents?

Customers type their card details on their own phone keypad. Paytia either masks the keypad tones in the live audio (DTMF Masking) or splits the call into two channels during capture (Channel Separation) — either way, the card number, expiry, and CVV go straight to your payment gateway, not through your agent, your call recording, or your systems.

Do I have to change my phone system?

No. Paytia works with any telephony — landline, VoIP, SIP, PBX, or full contact-centre platforms like Genesys, Five9, Amazon Connect, NICE, 8x8, Talkdesk. There's no hardware to install. Most customers are live in days.

Can I still record calls?

Yes. Card data is removed from the audio before it reaches the recording layer, so recordings stay clean — no pause-and-resume, no redaction, no compliance exposure if a recording is ever pulled from archive.

Does this work for outbound calls and payment chases?

Yes. Agents can dial the customer for collections, renewals, or chase and take the payment on the same call. See Outbound Payments and Payment Chase below.

How much does this reduce our PCI scope?

Most businesses drop from SAQ D (329 controls) to SAQ A (22 controls). Card data never enters your environment, so most PCI DSS controls stop applying.

“Paytia turned a security exposure and reputational risk into a value-enhancing opportunity. Fundraising has never been more important and Paytia has helped us achieve our goals.”

Trinity Hall College

Cambridge University

Read the case study →

Used by British American Tobacco · Howard Kennedy · CITB · Clinical Partners · Trinity Hall College

Since 2016

Building secure payments

PCI DSS Level 1

Highest certification

99.99%

Platform uptime

£40M+

Transactions processed

Ready to take phone payments the right way?

See Paytia on a call flow that looks like yours. Most businesses are live within days.

PCI DSS Level 1
Cyber Essentials Plus
Request a DemoContact Sales

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia