MOTO payments — short for Mail Order / Telephone Order — are card-not-present transactions where your customer gives you their card details over the phone, by post, or by fax. They're one of the oldest forms of card payment, and for many UK businesses they're still a core channel in 2026. Phone orders, renewal calls, charity donations, housing rent, B2B orders, bookings — any call where a customer wants to pay without visiting a website is a MOTO payment.
Here's the catch. MOTO payments carry a higher fraud risk than both online and in-person card payments, because the merchant can't see the physical card and can't rely on 3-D Secure in the same way an e-commerce checkout can. Card networks know this, so MOTO transactions usually attract higher interchange fees and stricter PCI DSS obligations. Any business that takes MOTO payments needs to understand where the risks actually are, what the compliance rules say, and how to handle a phone card payment without dragging their entire contact centre into PCI scope.
We've been building PCI-compliant phone payment systems at Paytia since 2016, and MOTO is the workflow we know best. This guide covers what MOTO payments are, how they work, what they cost, where the fraud risks live, and how modern contact centres handle them safely.
What is MOTO Payments?
MOTO payments are card-not-present transactions where the cardholder provides their card details to a merchant by telephone, mail, or fax rather than in person or through a website. The merchant keys the card number into a virtual terminal or payment gateway to authorise the payment. MOTO has its own interchange category, fraud profile, and PCI DSS scoping rules.
A "MOTO 3" or "three-MOTO" transaction is industry shorthand for a MOTO payment where the merchant manually enters the three-digit CVV alongside the card number and expiry. Most acquirers require the CVV on MOTO transactions as a basic fraud check. Keeping card data out of the merchant's earshot during that capture step is exactly what DTMF masking and channel separation are designed for.
Security Challenges with MOTO Payments
MOTO transactions come with several inherent security challenges that businesses need to address:
Higher Fraud Risk
Without physical card presence or real-time electronic verification, MOTO transactions have higher fraud rates than card-present transactions. Fraudsters can use stolen card details more easily when the card isn't physically present.
The numbers tell the story. Card-not-present fraud consistently accounts for the majority of card fraud losses in the UK. For MOTO specifically, the risk is elevated because there's no chip-and-PIN verification, no biometric check, and often no 3DS2 authentication (since 3DS2 was designed for online transactions, not phone payments). That puts a heavier burden on businesses to implement their own fraud controls.
Some MOTO fraud scenarios are obvious, but others are more subtle. The classic case is a fraudster calling with a stolen card number to place an order for delivery to a different address. But there are others that catch businesses off guard. "Friendly fraud" is one — a genuine customer places a legitimate order over the phone, receives the goods, and then disputes the transaction with their bank, claiming they never authorised it. Without 3DS2's liability shift protecting you, MOTO merchants bear the cost of these disputes almost every time.
Another common scenario is card testing. A fraudster uses your phone payment line to test whether stolen card numbers are live by making small, low-value transactions. If the card works, they move on to larger purchases elsewhere. Meanwhile, you're left with a string of chargebacks on transactions worth a few pounds each — individually small, but collectively enough to push your chargeback ratio above your processor's threshold.
Internal fraud is a risk too, and it's the one businesses least want to think about. If agents can see or hear full card details, a single dishonest employee can capture dozens of card numbers in a shift. They might not use them immediately — stolen card details are often sold in batches weeks or months later, making it harder to trace the source. This is exactly why removing agent access to card data through DTMF masking isn't just a compliance measure; it's a fraud prevention one. You can't steal what you never had access to.
Refund fraud is another pattern we see in MOTO environments. A fraudster calls to place an order, then calls back claiming an issue and requesting a refund — but asks for it to be sent to a different card or bank account. Without proper refund policies that match refunds to the original payment method, businesses can lose money on both the original transaction and the fraudulent refund.
Agent Exposure to Sensitive Data
Traditional phone payment processes require staff to see or hear complete card details, including full card numbers, expiry dates, CVV codes, and cardholder names.
This exposure creates security risks and expands PCI DSS compliance requirements significantly. Every agent who handles card data is a potential point of compromise. That's not a reflection on your staff's honesty — it's a recognition that human error, social engineering, and even simple opportunism create risk that technology can eliminate.
Call Recording Risks
Many businesses record customer calls for quality assurance, training, or compliance purposes. If those recordings capture card details, they become sensitive data requiring secure storage, encryption, access controls, monitoring, and secure deletion procedures.
This is one of the most underestimated risks in MOTO processing. Businesses often don't realise that their call recordings contain card data until an auditor points it out. At that point, every recording that might contain card details needs to be treated as cardholder data — which can mean thousands of hours of recordings suddenly fall under PCI scope.
Documentation Security
When customers provide card details via mail or email, written records require secure storage in locked cabinets, proper disposal through cross-cut shredding, access logging and monitoring, and background checks for staff handling documents. Email-based card details are particularly problematic. Email isn't encrypted by default, messages sit in inboxes indefinitely, and they're often backed up to systems that nobody thinks to include in their PCI scope assessment.
Compliance Requirements for MOTO Payments
PCI DSS Requirements
All MOTO transactions fall under PCI DSS scope, requiring businesses to protect stored card data with encryption, implement access controls and monitoring, conduct regular security testing, maintain information security policies, and complete annual self-assessment questionnaires (SAQs) or formal audits.
The SAQ type you need depends on how you process payments. If your agents handle card data directly, you're looking at SAQ D — the most demanding questionnaire, with over 300 requirements. If you use a solution like Paytia that keeps card data out of your environment entirely, you can typically use SAQ A, which has around 22 requirements. That difference represents a huge reduction in compliance effort and cost.
Strong Customer Authentication (SCA)
Under PSD2 regulations, MOTO transactions are currently exempt from SCA requirements, but merchants still need to properly flag transactions as MOTO, implement additional fraud monitoring, and be prepared for potential future SCA requirements. The exemption exists because SCA was designed for online transactions where two-factor authentication can be built into the checkout flow. For phone payments, there's no practical way to implement SCA in real time — the customer can't scan a fingerprint or approve a push notification while they're on the phone.
GDPR and Data Protection
Processing card details requires compliance with GDPR, including lawful basis for processing, data minimisation principles, secure storage and transmission, and data subject rights (access, deletion, etc.).
How to Handle Secure MOTO Processing
Use Secure Payment Technology
Modern payment solutions can dramatically cut security risks. DTMF masking lets customers enter card details via keypad while agents stay on the call without hearing the digits. Tokenisation replaces card numbers with secure tokens for recurring payments. Secure payment links let you send customers a link to complete payments online when that's more appropriate. Automated fraud screening provides real-time fraud detection and prevention.
The most effective approach is to remove card data from your environment completely. When agents never hear card numbers, recordings never capture them, and your systems never store them, the vast majority of PCI requirements simply don't apply to you.
Staff Training and Management
Even with secure technology in place, training matters. Staff need security awareness training so they understand why the controls exist and what to do if something seems wrong. Clear desk policies prevent card details being written down (though with DTMF masking, there are no details to write). Regular audits of payment handling procedures catch drift before it becomes a problem.
Process Improvements
Tighten your payment processes to minimise risk. Collect only what's essential — if you don't need the cardholder's full name for the transaction, don't ask for it. Establish clear authorisation workflows so high-value or unusual transactions get appropriate scrutiny. Create documented refund and dispute processes so your team handles chargebacks consistently.
MOTO Payment Reporting Requirements
Businesses processing MOTO payments have specific reporting obligations that go beyond what's required for card-present or standard e-commerce transactions. Getting these wrong can lead to compliance issues, higher processing fees, or problems with your acquiring bank.
Transaction type coding is the most fundamental requirement. Every MOTO transaction must be flagged with the correct transaction type indicator when it's submitted to your acquirer. Card networks use these codes to apply the right interchange rates and fraud rules. If you're submitting MOTO transactions with e-commerce codes — or vice versa — you'll face incorrect pricing at best and compliance violations at worst. Your payment gateway or virtual terminal should handle this automatically, but it's worth verifying with your provider.
Chargeback monitoring is particularly important for MOTO merchants because of the higher fraud risk. Both Visa and Mastercard run monitoring programmes that flag merchants whose chargeback ratios exceed certain thresholds — typically 1% of transactions or 100 chargebacks in a month. MOTO merchants hit these thresholds more easily because they don't have 3DS2's liability shift protection. If you enter a monitoring programme, you'll face additional fees, mandatory action plans, and ultimately the risk of losing your merchant account. Track your chargeback ratio monthly and investigate every dispute, even the small ones.
PCI DSS reporting through Self-Assessment Questionnaires is an annual obligation. The SAQ type you complete depends on how you handle card data. If agents handle card details directly, you need SAQ D — the most extensive questionnaire. If you use a solution like Paytia that prevents agents from accessing card data, you can typically complete SAQ A or SAQ A-EP, which are far shorter and simpler. Whichever SAQ applies, it must be completed annually and submitted to your acquiring bank.
Transaction record keeping is required under both PCI DSS and general financial regulations. You need to retain records of MOTO transactions including the date, amount, authorisation code, and customer reference — but crucially, you must not store the CVV or full magnetic stripe data after authorisation. Many businesses fall foul of this by recording phone calls that capture card details, effectively storing data they're prohibited from keeping. If your call recordings contain card data, you either need to stop recording during the payment portion of the call or use DTMF masking to ensure card details never enter the recording in the first place.
How Paytia Handles MOTO Payments
Paytia builds specifically for secure MOTO processing, tackling the real challenges businesses run into:
Agent Assist Technology
Paytia's Agent Assist solution lets customers enter card details via their phone keypad while staying on the call with your agent. It keeps agents from seeing or hearing complete card details, significantly reduces PCI DSS compliance scope, maintains the personal touch of human interaction, and protects payment data from call recording systems.
Improved Security Features
DTMF audio masking prevents payment data from being captured in recordings. Real-time fraud detection provides automated screening of suspicious transactions. Tokenisation enables secure storage for recurring payments. PCI DSS Level 1 compliance typically drops customers from SAQ D (329 controls) to SAQ A (22 controls) — a ~93% reduction in compliance effort.
Operational Benefits
Integration with existing telephony systems is straightforward. API integration connects with your payment processing systems. Full transaction reporting and audit trails give you complete visibility. Multi-currency support handles international transactions without additional complexity.
MOTO payments are still a critical channel for many businesses, but they do require careful attention to security and compliance. By understanding the challenges, putting the right controls in place, and using modern payment technology like Paytia, businesses can process MOTO payments safely without sacrificing the customer experience.
If you want to tighten your MOTO payment security and reduce your compliance burden, get in touch.
![Is It Safe to Give Card Details Over the Phone? [2026 Guide]](/_next/image?url=%2Fimages%2Fblog%2Fblog-pexels-card-security-8938729.jpg&w=3840&q=75&dpl=dpl_812sLrkxxXc4gA3crSg4WR5Pw3ze)
