Whichever method you pick:
Quick summary
You can take secure card payments over the phone seven ways with Paytia — agent-assisted DTMF masking, automated IVR, pay-by-link, QR codes, in-person on a tablet, open banking, and browser-based calling. In every case the customer enters their own details, card data never touches your business, and you stay PCI-DSS Level 1 compliant. Pick by the kind of call you handle; you can run several at once.
Last updated: 3 June 2026
The seven methods
Your agent takes the call as normal; when it's time to pay, the customer keys their card number in on their own phone keypad. The digits never reach the agent, your call recording or your systems. This comes in two forms that reach the same PCI outcome a different way.
With DTMF masking — also known as DTMF suppression, they're the same thing — the agent stays on the live call and the keypad tones are stripped from the audio in real time, so the conversation never breaks. With channel separation the agent's audio drops off for the few seconds of capture while voice prompts guide the customer, which gives auditors a hard, physical separation. Masking suits calls where the conversation matters; channel separation suits high-volume lines or the strictest audit posture.
Best for: Live agent calls — DTMF masking when the agent should stay in the conversation, channel separation when you want zero agent training or the hardest audit separation.
Send the caller to an automated payment line. They enter a reference and the amount, key their card in, and pay — with no agent involved at all.
It runs around the clock and suits high-volume, repetitive payments like bills and invoices, where there's nothing for an agent to add.
Best for: Out-of-hours payments and high-volume bill or invoice collection.
Send the customer a secure link by SMS or email. They open it and pay on a branded page, and you never touch the card.
It's a tidy way to follow up a call, chase an invoice, or take payment when the customer would rather pay in their own time.
Best for: Following up calls, invoicing, and customers who'd rather pay later.
Show or print a QR code — on screen, on an invoice, or in person. The customer scans it with their phone camera and lands on a payment page with their details already filled in.
It turns any printed or on-screen surface into a way to pay, with no card details spoken or written down.
Best for: Invoices, in-person counters, and anywhere you can show a code.
Hand your tablet to the customer and let them type and verify their own card details, with 3DS2 for extra protection. The card data stays with them, not your staff.
It covers face-to-face sales without needing a traditional card terminal on every desk.
Best for: Field sales and face-to-face payments without a card machine.
Skip cards entirely. The customer approves an identity-verified payment straight from their banking app, bank to bank.
There's no card data involved at all and the funds move directly, which helps on larger amounts where card fees start to bite.
Best for: Larger payments, and customers who'd rather pay from their bank than a card.
Take a call and a payment straight from a web browser. It's a useful backup if your normal phone system goes down, so customers can always reach you to pay.
Same secure capture, no desk phone required.
Best for: Business continuity, and teams without fixed desk phones.
Start with the call. If an agent needs to stay in the conversation — a renewal, a retention call, anything where a silence costs you — use agent-assisted DTMF masking. If the payment is repetitive and high-volume, an automated IVR takes the agent out of it. If the customer would rather pay later or in their own time, send a payment link.
What doesn't change is the security. Every method here is built so the customer enters their own card details and that data never reaches your staff, your recordings or your systems — which is what keeps you PCI-DSS compliant and drops your scope from SAQ D to SAQ A. Not sure which fits? Talk to us or see the full telephone payments picture, and our video library for more demos.
Every method on this page keeps card data out of your business — the customer enters their own details and nothing reaches your staff, your recording or your systems. Which one's 'best' depends on the call. If an agent needs to stay on the line, agent-assisted DTMF masking is the usual choice. For unattended payments, an automated IVR or a pay-by-link works better. They're all PCI-DSS Level 1.
No. With all of them the customer keys in their own card details — on their phone keypad, a payment page, or their banking app. Your agents never hear the digits or see the full number, so there's nothing for them to write down or mishandle.
Yes. We connect to modern cloud contact-centre platforms, traditional PBXes and plain SIP trunks, and to the major gateways including Stripe, Worldpay, Adyen, Checkout and Lloyds Cardnet. Your acquirer relationship and the way money settles to your bank don't change — only the route the card data takes.
PCI DSS scope follows the card data. Because the data never enters your network, your agents or your recording, most businesses move from SAQ D (329 controls) to SAQ A (22). The systems that used to be in scope drop out because there's no card data in them to protect.
Yes — most customers do. You can run agent-assisted masking on one line, an automated IVR on another, and send pay-by-links from the same account. Switching a call type from one method to another is a configuration change, not a rebuild.
With DTMF masking the agent stays on the live call and talks the customer through while the tones are masked. With an automated IVR the agent steps out entirely and voice prompts run the payment. Masking suits conversations that shouldn't break; IVR suits high-volume, hands-off payments.
Yes — they're two names for the same thing. The keypad tones are intercepted in the live audio so the agent and the call recording never get the digits. We lead with 'DTMF masking' because that's what most people search for, but you'll see it called DTMF suppression too; there's no difference in what it does.
Most cloud setups are live in a few working days. The bottleneck is usually change-window approvals on your side rather than the integration itself. We scope the timeline with you up front.
Book a 15-minute demo and we'll show you the methods that fit your setup, talk through PCI DSS scope, and map them to your phone system and gateway.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia