PCI DSS Level 1 Certified

MOTO Payments Secure card-not-present payments without the PCI scope

A MOTO payment — Mail Order, Telephone Order — is any card payment you take when the customer isn't physically with you and their card isn't either. Phone orders, fax invoices, mail renewals, call-centre sales. You pay a higher interchange rate than card-present and carry the chargeback liability. We handle the card capture so the number never reaches your agents or your systems, and your PCI scope drops to SAQ A. Works with your existing merchant account. Lives within our PCI DSS Level 1 environment.
Book a demoTalk to us

What a MOTO payment actually is

MOTO stands for Mail Order / Telephone Order. It's a card-not-presenttransaction where the customer gives you their card details over the phone, by post, or by fax — neither the card nor the cardholder is anywhere near you. The term's a hangover from the catalogue-sales era, but the card schemes still use it and so do your acquirer, your processor, and your auditor.

It's different to in-person and online in a couple of ways that matter. There's no chip-and-PIN, no contactless tap, no signature — none of the friction that protects a card-present sale. And unlike online, there's no straightforward way to slot a 3DS2 step into the flow, because the customer is on a phone call rather than a checkout page. The card scheme sees the transaction as higher risk than either of the alternatives, prices it accordingly, and pushes the chargeback liability onto you.

Plenty of businesses still rely on it. Charities taking phone donations from older supporters. Housing associations collecting rent. B2B trade desks closing wholesale orders. Insurance and pensions renewals. Mail-order pharmacies. Medical billing. Solicitors and accountants invoicing by phone. Any business with a customer base that prefers a phone call to a website checkout — which, in 2026, is still most of them — runs a MOTO channel whether they call it that or not.

We've been building PCI-compliant phone payment systems since 2016 and MOTO is the workflow we know best. The rest of this page covers what makes it the riskiest card channel you can run, what compliance actually demands, and how to handle the call so your agent stays on the line and the card data doesn't reach your systems. If you'd rather skip to a demo, we'll show you the flow on a real call.

Why MOTO is the riskiest card-payment channel you run

Card-not-present fraud is the single largest category of card fraud loss in the UK, and MOTO sits at the sharper end of CNP. Online checkouts have 3DS2, device fingerprinting, browser signals, and a liability shift to lean on. Card-present has chip-and-PIN and the customer standing in front of you. MOTO has none of that — just a voice on a phone reading sixteen digits — which is why the card schemes price MOTO interchange roughly 0.1–0.3% above card-present and why your acquirer treats every dispute as your problem.

The fraud patterns we see most often on MOTO calls fall into four shapes. The first is the classic stolen-card delivery scam: a fraudster calls with card details they bought on the dark web, places an order, ships it to a drop address. By the time the genuine cardholder spots the transaction and files a chargeback, the goods are gone. The second is friendly fraud — a real customer places a real order, takes delivery, then disputes the charge with their bank and claims they never made the call. Without 3DS2's liability shift to fall back on, you absorb the loss almost every time.

The third pattern is card testing. Someone uses your phone line to check whether a stolen card number is live by running a small, low-value transaction. If it goes through, they move on to bigger purchases somewhere else. You're left with a string of one-pound and two-pound chargebacks that look trivial in isolation but pile up fast enough to push your chargeback ratio above the threshold your processor is allowed to tolerate. The fourth pattern is refund fraud: a caller places an order, rings back claiming a problem, and asks for the refund to land on a different card. Without a strict policy that returns money to the original method only, you can lose on both ends.

All of that is external attackers. The risk that businesses least want to think about is internal. If your agents can see or hear full card details — and on a traditional MOTO call they have to, otherwise they can't type them into the virtual terminal — a single dishonest hire can pocket dozens of card numbers in a shift. Stolen card data often surfaces months later, sold in batches, by which point tracing it back to your contact centre is nearly impossible. The hidden agent-exposure riskon a normal MOTO setup is the one we hear about most after the fact, usually from the compliance officer who's just spotted it on an audit.

Then there's everything that captures card data accidentally. Call recordings are the worst offender — most contact centres record for QA, training, and compliance, and most of them haven't worked out that every recording capturing a customer reading sixteen digits is now cardholder data. The recordings have to be encrypted, access-controlled, and retention-managed at the same level as a primary card database, because under PCI DSS that's what they are. Same goes for any paper order form sitting on a desk with a PANon it, any email a customer ever sent with their card number in it, any CRM note where an agent typed the digits into a free-text field. Email is the quiet one — it isn't encrypted by default, it sits in inboxes for years, and it gets backed up to systems nobody's ever included in their PCI scope assessment.

Attackers know all of this. The MOTO playbook isn't exotic. It's social-engineering customer service to read a card back so they can be sure they've got it right. It's phishing the recordings system. It's pretexting a refund. It's walking out with a clipboard. The reason MOTO fraud rates run higher than any other card channel isn't that the criminals are cleverer here — it's that the surface area you're defending is genuinely bigger, and most of it sits inside your own four walls.

What PCI DSS, SCA, and GDPR actually require for MOTO

Every MOTO transaction is in PCI DSS scope. There's no minimum-volume carve-out, no exemption for low-risk merchants, no allowance for "we only do a handful of phone payments." If you take card details by phone, the standard applies to you, and which Self-Assessment Questionnaire you have to complete depends entirely on how the card data is handled.

If your agents key the card number themselves into a virtual terminal — the traditional MOTO setup — you're on SAQ D. Around 329 controls, annual evidence, the heaviest reporting tier short of a full Report on Compliance. Your agent workstation, your call recordings, your CRM, your network, and any paper forms all sit inside the cardholder data environment, and every one of those becomes something you have to document and audit. If you route the capture through a PCI-certified provider so card data never reaches you — DTMF masking, channel separation, agent-assisted — you drop to SAQ A, which is around 22 controls. PCI DSS v4.0.1 sharpened the language on this further: any system component that can affect the security of cardholder data is in scope, so a recording system that captures DTMF tones counts even if it never stores the digits as text.

Strong Customer Authentication under PSD2 is the rule for online card payments in the UK and EU — two factors, every time, with a handful of exemptions. MOTO is one of the exemptions, but it's not a free pass. Acquirers expect you to flag the transaction with the correct MOTO indicator when you submit it, run additional fraud screening to compensate for the missing authentication step, and keep your PSD2documentation up to date. The exemption exists because there's no realistic way to make a customer scan a fingerprint or approve a push notification while they're mid-call. It doesn't exist because MOTO is low risk; it exists because the protocol won't fit.

Where 3DS2can be brought in — typically when the customer has a mobile to hand during the call and can approve a step-up on their banking app — using it gives you the liability shift you'd otherwise be missing. We apply 3DS2 wherever it's available and fall back to fraud-screening rules where it isn't, so the transactions most likely to dispute later get extra scrutiny up front.

GDPRsits over the top of all of this. Card details are personal data, the lawful basis for processing is contract performance, and the principles of data minimisation and storage limitation apply directly to your call recordings. The cleanest answer is to not store card numbers in the first place — no card data in your environment means no retention question, no subject access request that includes a PAN, no breach-notification trigger when a backup tape goes missing. The second cleanest answer is to pause recordings during the payment portion of the call, which most contact-centre platforms support but many haven't configured.

MOTO and PCI DSS scope

A MOTO call without protection is a PCI nightmare. With us, it's an SAQ A line item.

PCI DSS Level 1 Service Provider certification

PCI DSS Level 1

We carry the highest level of PCI certification. Plug us in and your scope drops the moment the card data stops reaching you.

A typical unprotected MOTO call puts your call recording, your agent's desktop, your CRM notes, and any paper forms in PCI scope. Every one of those becomes a control you have to document, audit, and staff. With Paytia, card data never reaches any of them. Your SAQ shortens from 329 controls to 22. Your recording system drops out of scope entirely because there's no card data in the audio to protect.

AreaWithout PaytiaWith Paytia
Self-assessmentSAQ D (329 controls)SAQ A (22 controls)
Call recordingsContain card data — redact or pauseCard-data free
Agent workstationIn scope, full lockdownOut of scope
Annual auditFull QSA assessmentEvidence of integration only

How to take MOTO payments without absorbing the risk

The principle is simple: if the card number never reaches your environment, almost none of the risk reaches it either. Your agents can't leak data they never had, your recordings can't capture tones they never received, your CRM can't store digits nobody typed into it, and your auditor has 22 controls to check instead of 329. The whole modern MOTO stack is built around getting card capture out of the parts of your business where it doesn't belong.

On the phone leg, the right answer for almost every contact centre is DTMF masking. The customer types their card on their own phone keypad. Each tone is intercepted and replaced with a flat sound before it reaches your agent or your recording system. The agent stays on the call the whole time, talks the customer through it, and confirms the result when authorisation comes back. From the customer's side it feels like any normal phone payment. From your auditor's side, the audio has no card data in it.

Channel separation takes the same idea a step further on calls where the agent shouldn't be in the room with the digits at all. The card capture happens on a separate audio path that bypasses the agent's line entirely. Useful for higher-value transactions, regulated industries, and anywhere the threat model includes the agent themselves. Agent-assisted sits between the two — the agent keeps the call going, the customer keys the card, and the agent sees only a masked progress indicator on screen.

For mail-order and email-order workflows, the answer is to stop accepting card details in writing at all. We send the customer a secure payment link by SMS or email; they tap through to a hosted payment page in our PCI environment, type the card themselves, and the confirmation lands back in your system as a token plus an authorisation code. The order form on your end never sees a card number. The same flow handles refunds, top-ups, and ad-hoc payment requests without you ever opening an email that contains a PAN.

Where the card goes once we've captured it depends on what you already have. We pass the authorisation request straight to your existing acquirer — Barclaycard, Worldpay, Tyl, Elavon, Adyen, whichever — so your pricing, your settlement, and your reporting don't move. What does move is what gets stored where. We tokenisethe card inside our vault and return a token your systems can use for refunds, repeat charges, or anything else you need to do with that customer later. The real PAN never leaves our environment. The agent never sees it. The recording never hears it. The CRM never stores it. That's what good looks like for a 2026 MOTO operation.

Where MOTO fits in your stack

MOTO sits on top of whatever phone system you already run. We don't replace your telephony, your CCaaS platform, your PBX, or your agent desktop. If you're on a traditional ISDN line into an on-prem switch, we hook in. If you're on a cloud contact centre — Genesys, Talkdesk, 8x8, RingCentral, Five9 in the UK, NICE, whatever — we hook in. The integration is at the call-leg level for DTMF masking, or via API for the secure-link and agent-assisted flows, so you don't have to rip anything out to get the scope reduction.

The gateway side is the same story. We route authorisation requests to your existing acquirer or processor — UK clearing banks, the usual independents, Adyen, Worldpay, the lot. You keep your merchant ID, your pricing, your settlement schedule, your existing reporting. The only thing that changes is that the PAN comes from our vault rather than from your CRM. Multi-currency works the way it already does in your gateway; we don't add anything on top.

A handful of edge cases come up often enough to call out. International cards work the way they always have, except the customer keys their CVV directly so it can't go astray in transit. Refunds run through the original payment method via the token, so you stay on the right side of the card schemes' refund-fraud rules without having to remember which card the original charge landed on. Recurring MOTO — subscription renewals, instalment plans, pay-as-you-go top-ups — uses the token from the first call for every charge after that, so the customer reads their card once and never again.

Most customers are live within a week. Agents don't need training because there's nothing for them to learn — the call flow looks the same to them, just with a "Take payment" button that doesn't ask them to read digits back. If you want to see the whole thing on a real call, we'll walk you through it, or you can tell us what your stack looks likeand we'll work out the shape of the integration before you commit to anything.

Frequently asked questions

What is a MOTO payment?

A MOTO payment is a card transaction where the cardholder isn't physically with you and their card isn't either. MOTO stands for Mail Order / Telephone Order — the original category the card schemes used for catalogue orders, phone sales, fax orders and invoice payments. Today it covers anything where the customer reads or keys their card details across a phone line, an email, a fax, or a written order form. The card schemes treat it as card-not-present (CNP), which means higher interchange rates and full chargeback liability for you.

What's the difference between MOTO and card-present payments?

Card-present means you've got the card and the cardholder in front of you — chip and PIN, contactless, swipe. MOTO means neither the card nor the cardholder is with you; the customer shares their details remotely. Interchange fees for MOTO run roughly 0.1–0.3% higher than card-present because card issuers see it as higher fraud risk, and chargeback liability sits with you rather than the customer's bank.

What's the difference between MOTO and IVR payments?

IVR is one flavour of MOTO. A MOTO payment is any card-not-present transaction taken over a phone or written channel. An IVR payment is specifically a MOTO payment taken by an automated voice response system with no agent on the call. If you want the agent to stay on the call and help the customer through, that's agent-assisted MOTO with DTMF masking. If you want it fully automated, that's IVR. Both are MOTO, both use the same card schemes, both need the same PCI thinking.

How do I take MOTO payments securely?

The risky way is: your agent reads the card number aloud, writes it on a form, or your call recording captures it. Any of those and you're in full PCI DSS SAQ D scope — 329 controls, annual audits, trained staff, secure rooms. The safer way is to route the card capture through a PCI-certified provider. With Paytia, the customer types their card on their own phone keypad, we mask the tones so the agent hears nothing, and we send the card straight to your gateway. Your scope drops to SAQ A (22 controls) and nothing sensitive ever lands in your systems.

Can MOTO payments be recurring?

Yes, and they often are. We tokenise the card on the first transaction and use the token for every subsequent charge — subscriptions, payment plans, instalments, renewal invoices. The customer only reads or keys their details once. Every charge after that runs off a token that lives in our environment, not yours, so you can bill every month without storing a single card number.

Do I need a special merchant account for MOTO?

You need a merchant account set up for card-not-present transactions. Most UK acquirers (Barclaycard, Worldpay, Tyl by NatWest, Elavon, and others) offer MOTO as an add-on to a standard card-present account, sometimes as a separate MID. Pricing is usually a per-transaction uplift. We plug into any of them — you keep your existing acquirer, we handle the capture and tokenisation layer on top.

Does MOTO work with 3-D Secure?

Yes — 3DS2 works for MOTO where the customer has a mobile handy for the authentication step. Where they don't, MOTO falls back to non-authenticated CNP, which is why fraud screening and tokenisation matter more. Our platform applies 3DS2 when it can and flags high-risk transactions when it can't, so you're not flying blind on fraud.

Elavon recommended Paytia; we didn't look back. Here was a solution that finally ticked all our boxes — and met our bank client's substantial security and compliance controls. It's been a great success.

Paula Griffiths

Head of Regional Operations, ICE International Currency Exchange

Read the case study →

Used by British American Tobacco · Howard Kennedy · CITB · Clinical Partners · Trinity Hall College

Since 2016

Building secure payments

PCI DSS Level 1

Highest certification

99.99%

Platform uptime

£40M+

Transactions processed

Ready to take MOTO payments without the PCI headache?

We'll walk you through how MOTO payments work on your existing phone system and gateway. Most customers are live within a week — your agents don't need training because there's nothing for them to learn.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoTalk to us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia

Related solutions

Other ways to take payments in this channel.

DTMF Masking

Also called DTMF suppression. The customer types their card on their phone keypad. We mask the tones in the live audio so the agent doesn't hear them and the recording stays clean.

Learn more

Agent-Assisted Payments

Your agent stays on the live call while the customer keys their card. We mask the tones so no card data reaches the recording or the agent's audio.

Learn more

Taking Card Payments Over the Phone

How to take card payments on a call legally, securely, and without landing in SAQ D. Covers agent-assisted, IVR, and outbound options.

Learn more