Mail Order/Telephone Order (MOTO) payments are card-not-present transactions where customers provide their payment details over the phone or through mail order rather than presenting a physical card at a terminal. Despite the rapid growth of e-commerce, MOTO payments remain essential for a huge number of UK businesses, particularly those in sectors like insurance, utilities, travel, healthcare, and professional services.
If your business takes payments over the phone, you need to understand exactly how MOTO transactions work, the security risks involved, and what the law expects of you. This guide covers everything from the basics through to compliance requirements and practical solutions for keeping your customers safe.
What Are MOTO Payments?
MOTO stands for Mail Order/Telephone Order. It is a payment category used by card schemes such as Visa and Mastercard to classify transactions where the cardholder is not physically present. The merchant or their agent manually enters the card details into a payment system, rather than the customer tapping, inserting, or swiping their card.
MOTO transactions include:
- Telephone orders — Customers calling a business to make a payment or purchase over the phone
- Mail orders — Customers sending payment details via postal mail or, less commonly, by email
- Agent-assisted payments — Contact centre or back-office staff helping customers complete transactions
- Recurring payments — Subscription services and regular billing initiated via a phone or mail instruction
Because MOTO transactions are classified separately from e-commerce (where the customer keys in their own details online) and from card-present transactions, they carry their own set of rules, risk profiles, and compliance obligations.
Why MOTO Payments Still Matter in 2026
It would be easy to assume that phone payments are declining, but the reality is quite different. MOTO transactions continue to be vital for many organisations for several compelling reasons:
- Customer preference — Many customers, particularly older demographics, prefer speaking with a real person rather than navigating a website
- Complex transactions — High-value or complicated payments, such as insurance policy excesses or bespoke service agreements, benefit enormously from human assistance
- Accessibility — Customers without reliable internet access or digital confidence still need a way to pay
- Urgent transactions — When online systems go down or a customer needs to pay immediately, the telephone is a reliable fallback
- B2B transactions — Many business customers prefer phone-based payment processing, especially for large or irregular invoices
- Regulated sectors — Industries like insurance, local government, and healthcare rely heavily on phone-based collections
Security Challenges with MOTO Payments
MOTO transactions face several inherent security challenges that every business must address. The Payment Card Industry Security Standards Council (PCI SSC) is clear: MOTO payments remain in PCI DSS scope because card data is collected by staff. That means every phone-based order must be secured just as rigorously as an e-commerce transaction.
Higher Fraud Risk
Without a physical card present or real-time electronic verification like 3D Secure, MOTO transactions carry higher fraud rates than card-present transactions. Fraudsters can use stolen card details far more easily when there is no chip, PIN, or biometric check.
Agent Exposure to Sensitive Data
Traditional phone payment processes require staff to see or hear complete card details, including full card numbers, expiry dates, CVV codes, and cardholder names. This exposure creates significant security risks and dramatically increases your PCI DSS compliance requirements. Every agent who handles card data becomes part of your cardholder data environment.
Call Recording Risks
Many businesses record customer calls for quality assurance, training, or regulatory compliance. If those recordings capture card details, they become sensitive data subject to strict PCI DSS controls, including secure storage, encryption, access restrictions, monitoring, and secure deletion procedures. In practice, this is extremely difficult and expensive to manage properly.
Documentation and Physical Security
When customers provide card details via mail, or when agents write them down during phone calls, physical records require locked storage, proper disposal through cross-cut shredding, access logging, and background checks for any staff who handle them. Even a sticky note with a card number on an agent's desk represents a serious compliance failure.
Chargeback Exposure
MOTO transactions face higher chargeback risks because there is no cardholder verification method equivalent to chip and PIN. Businesses need proactive management including clear transaction descriptions, comprehensive documentation of customer authorisation, prompt responses to chargeback notifications, and systematic analysis of dispute patterns.
PCI DSS Compliance for MOTO Payments
All MOTO transactions fall squarely within PCI DSS scope. The standard requires businesses to:
- Protect stored card data with strong encryption and access controls
- Restrict access to cardholder data on a need-to-know basis
- Monitor and log all access to network resources and cardholder data
- Conduct regular security testing including vulnerability scans and penetration tests
- Maintain information security policies covering all staff and contractors
- Complete annual assessments — either a Self-Assessment Questionnaire (SAQ) or a formal audit by a Qualified Security Assessor (QSA), depending on your transaction volume
The level of SAQ you need depends on how you process MOTO payments. Businesses where agents handle card data directly typically need SAQ C-VT or SAQ D, both of which carry substantial requirements. However, if you use a solution that keeps card data entirely out of your environment, you may qualify for the far simpler SAQ A, reducing your compliance burden by up to 85%.
Strong Customer Authentication (SCA) and MOTO
Under PSD2 regulations, MOTO transactions are currently exempt from Strong Customer Authentication requirements. However, merchants must properly flag transactions as MOTO with their payment processor, implement additional fraud monitoring to compensate for the SCA exemption, and remain prepared for potential future regulatory changes.
UK GDPR and Data Protection
Processing card details over the phone also requires compliance with UK GDPR, enforced by the Information Commissioner’s Office (ICO). This includes having a lawful basis for processing, applying data minimisation principles, ensuring secure transmission and storage, and respecting data subject rights such as access and deletion requests.
Fraud Prevention Strategies for MOTO Transactions
Robust fraud prevention is not optional for businesses processing MOTO payments. Effective strategies include:
- Customer verification — Verify identity through multiple data points before processing a transaction
- Address Verification Service (AVS) — Confirm that the billing address provided matches the one held by the card issuer
- CVV checking — Always require and verify the card security code
- Velocity monitoring — Track transaction patterns and flag unusual frequency or amounts
- Blocklist management — Maintain records of known fraudulent cards, addresses, and identities
- Real-time fraud scoring — Use automated systems that assess risk in real time before authorising a payment
Best Practices for Secure MOTO Processing
Use Secure Payment Technology
Modern payment solutions can dramatically reduce the security risks associated with MOTO transactions:
- DTMF masking — Customers enter card details via their phone keypad while agents remain on the call, but the tones are suppressed so agents never hear or see the card data
- Tokenisation — Replace actual card numbers with secure tokens for recurring payments, meaning sensitive data is never stored in your systems
- Secure payment links — Send customers a link via SMS or email to complete payment on a secure, PCI-compliant page
- Automated fraud screening — Real-time fraud detection and prevention integrated into the payment flow
Staff Training and Management
Even with the best technology, comprehensive staff training remains essential:
- Regular security awareness training covering social engineering and data handling
- Clear desk policies ensuring no written card details are left visible
- Regular audits of payment handling procedures
- Background checks for all staff involved in payment processing
Process Improvements
Streamline your payment processes to minimise risk at every stage:
- Minimise data collection to only the essential elements required for the transaction
- Implement verbal verification procedures to confirm customer identity
- Establish clear authorisation workflows with appropriate approval levels
- Create documented refund and dispute handling processes
MOTO Payments Across Industries
MOTO payments serve a wide range of business models and sectors across the UK:
- Insurance — Policy excess payments, premium collections, and claims settlements
- Utilities — Bill payments and account top-ups for customers who prefer phone contact
- Healthcare — Patient payment collection, prescription charges, and private medical billing
- Professional services — Invoice payments for consultancy, legal, and accountancy firms
- Travel and hospitality — Bookings, deposits, and balance payments
- Subscription services — Recurring billing and membership renewals
- Local government — Council tax, parking fines, and service fees
How Paytia Secures MOTO Payments
Paytia offers purpose-built solutions for secure MOTO processing that address every challenge outlined above.
Agent Assist with DTMF Masking
Paytia’s Agent Assist solution uses DTMF masking so that customers enter card details via their phone keypad while remaining on the call with your agent. The keypad tones are suppressed and replaced with flat tones, meaning:
- Agents never see or hear complete card details
- Card data never enters your network, desktops, or call recordings
- PCI DSS compliance scope is dramatically reduced
- The personal, human touch of the conversation is fully maintained
Secure Virtual Terminal
Paytia’s Secure Virtual Terminal combines PCI Level 1 processing with controls that keep sensitive digits entirely out of your infrastructure. The system generates timestamped logs confirming when card data was tokenised, which agent initiated the transaction, and which channel was used — evidence that shortens PCI assessments and supports acquiring bank attestations.
Advanced Payment Links with Secure Code
MOTO payments increasingly begin with a link sent via SMS or email. Paytia’s Advanced Payment Links include Secure Code verification — a second-factor code delivered through a trusted channel that proves the link is genuine. This aligns with phishing guidance from the UK National Cyber Security Centre (NCSC) and reassures customers before they authorise payment.
Operational Benefits
- Seamless integration with existing telephony systems — no need to rebuild your stack
- API integration with your payment processing and CRM systems
- Comprehensive transaction reporting and audit trails
- Multi-currency support for international transactions
- Revenue continuity — customers complete payments during the call, reducing invoice follow-up
Getting Started with Secure MOTO Payments
MOTO payments remain essential for UK businesses across every sector, but they demand careful attention to security and compliance. The good news is that modern payment technology makes it entirely possible to process telephone and mail order payments securely without sacrificing customer experience or operational efficiency.
By understanding the risks, implementing proven best practices, and using a PCI Level 1 compliant platform like Paytia, your business can handle MOTO transactions with confidence. If you are looking to improve your MOTO payment security and reduce your compliance burden, book a demo or contact Paytia today to learn how our secure payment solutions can help.