Agent-Assisted Payments Your agent stays. The card number doesn't.

What an agent-assisted payment actually is

An agent-assisted payment is the ordinary phone payment your contact centre already runs, with one specific change: the customer enters their card details on their own keypad while the agent stays on the line throughout the call. The agent doesn't read digits back. They don't type anything into a terminal. They're right there in the conversation — confirming the amount, answering questions, reassuring a nervous caller — but the card data takes a different route. It travels from the customer's handset straight to our DTMF masking layer and on to your payment gateway. It never touches your agents, your recordings, your CRM, or your network.

It's the middle option between two unworkable ones. Pure self-service IVR drops you out of PCI scope, but it also drops the customer the moment they need help — abandonment rates climb the second somebody passes a caller to "the machine". Pause-and-resume call recording leaves the card audio sitting in the agent's ear and on a quiet recording, which is still PCI cardholder data however carefully you handle it, and the compliance story falls over the first time an agent forgets to hit pause. Agent-assisted keeps the human in the call and keeps the card data out of it.

Who uses it? Any contact centre where the agent needs to stay in the conversation through the transaction. That covers retail customer service teams taking phone orders, insurance call centres handling premiums and excesses, healthcare billing teams collecting patient charges, B2B account teams taking deposits on six-figure orders, charities running live donor pledges, and housing associations collecting service charges from residents who'd rather speak to a person. If your team is on the phone with the customer at the moment of payment, this is the route that lets them stay there safely. Tell us about your setupand we'll show you what it looks like on your phone system in under twenty minutes.

How an agent-assisted payment actually works on a call

Picture an ordinary call. A customer rings in, the agent picks up, they talk through whatever the customer needs — a new order, a renewal, a claim, a service-charge query. The conversation is unchanged from the way your team works today, right up to the moment of payment. At that point, the agent confirms the amount out loud, clicks "Take payment" in their dashboard, and tells the customer that they'll hear a short prompt and can tap their card details in on the keypad when they're ready. The agent stays right there with them.

What the agent sees: a progress panel inside whichever CRM or terminal they already use. The amount they entered. A counter showing digits arriving — sixteen for the card, four for expiry, three or four for the CVV. A live status — "awaiting card entry", "processing", "approved", or a clear decline reason if the gateway pushes one back. No card number, no truncated digits, nothing decodable. Just enough information to know the call is on track.

What the customer hears: the agent's voice the whole way through. They can ask "sorry, was that the long number or the security one?" and the agent can answer them in real time. They can pause to find their card. They can apologise for fumbling the keypad. None of it breaks anything — the audio path stays open both ways. The only thing that doesn't reach the agent's headset is the DTMF tones themselves. Every keypress is replaced with a flat, neutral sound before the audio leaves our network. Every digit sounds identical, so there's no way to reverse-engineer the card from the recording either.

Behind the scenes, the customer's keypresses arrive at our PCI DSS Level 1 environment over a secure SIP leg. The raw digits sit in encrypted memory just long enough to send to your acquirer. We never store them. As soon as the gateway responds, the agent's panel updates — approved with a transaction reference, or declined with a reason and a one-click option to try a different card. The whole capture takes twenty to thirty seconds in practice. The agent reads back the reference, schedules whatever's next, and the call carries on.

One detail worth pulling out: the masking happens upstream of the agent's device. It's not a piece of software running on their workstation, and it can't be disabled by an agent on a bad day. The agent's computer is literally on a different data path from the card digits. That's why this works as a control auditors trust — the protection is built into the technology, not into whether somebody remembered to hit pause.

What this does to your PCI DSS scope

A contact centre that takes phone payments without protection sits inside the full PCI DSS cardholder data environment. Agents hear the numbers, so the audio channel is in scope. Recordings capture the tones, so the recording platform is in scope. Agents type the numbers into a form, so the workstation, the network, the CRM, and anything downstream is in scope. The self-assessment is SAQ D — 329 controls covering network security, access management, encryption, vulnerability scans, key management, logging, and the rest. It's the biggest tier the PCI Council publishes, and it's designed for environments that actively store, process, or transmit card data.

Agent-assisted with DTMF masking, running through a PCI DSS Level 1 provider, typically drops the self-assessment to SAQ A — 22 controls. That's a 93% reduction in requirement count, and the remaining controls are mostly about documenting your relationship with us rather than running infrastructure. Your call recordings come out card-data free, so you can review and archive them without redaction. Your agents drop out of mandatory annual PCI training. Your network drops out of the cardholder data environment. Your QSA conversation moves from "walk me through every control" to "here's the Attestation of Compliance from your service provider".

The cost side follows the control count. Contact centres we work with typically report a 75% reduction in ongoing PCI spend — that's staff time on compliance work, quarterly ASV scans, annual penetration tests, QSA fees, remediation, and training, combined. The bigger benefit is one nobody puts on a spreadsheet: phone payments stop being a board-level audit risk. The blast radius of a single agent mistake collapses from "reportable data incident" to "the customer tried a wrong digit".

PCI DSS 4.0, mandatory since March 2025, tightens the scoping rules — you have to actively demonstrate that systems are out of scope, not just assume they are. That makes agent-assisted more valuable, not less. You can point at the network diagram, point at our Attestation of Compliance, and show the QSA exactly why the card data never enters your environment. Pause-and-resume can't tell that story cleanly, because the audio still touches the agent. Agent-assisted can.

PCI DSS Level 1

Our scope becomes yours the moment your card data takes our route. The work, the audit, and the evidence sit with us.

Where this fits in your stack

Most contact centres we talk to worry about integration before they worry about anything else, usually because they've been burned by enterprise software projects before. The honest answer is that agent-assisted payments don't need a platform migration. We plug into whatever telephony you're already using.

On the cloud side we integrate with Genesys, Five9, NICE CXone, Mitel CX, Aircall, 3CX, RingCentral, ContactOne, Amazon Connect, Talkdesk, and most other SIP-based contact centre platforms. For on-premise PBX — Avaya, Cisco, Mitel — we integrate at the SIP trunk so we don't need to touch your core telephony. For cloud contact-centre suites that already ship native payment-capture integrations, we slot alongside their workflow rather than replacing it. If you're on something unusual we'll tell you honestly on the discovery call whether the integration is straightforward.

On the gateway side we work with the UK's major acquirers and processors — Worldpay, Barclaycard, Stripe, Adyen, Trust Payments, Opayo, Global Payments, and a long list of others. We tokenise the card on first capture so the same flow supports one-off payments, recurring billing, instalments, and follow-up charges without re-prompting the customer. Refunds run through the same Paytia terminal so your agents never need to log into a gateway dashboard separately.

On the agent side, nothing visible changes except a new button. The Paytia console is browser-based and works on whatever the agent already uses — Windows, macOS, Chromebook, thin client, it doesn't matter. The softphone stays the same. The CRM stays the same. We embed the capture into Salesforce, HubSpot, Zoho, Microsoft Dynamics, Zendesk, Freshdesk, and most sector-specific systems (claims, booking, property management). Training is twenty to thirty minutes per agent. Most of that is showing them the new button — the payment flow itself is simpler than what they were doing before.

From kickoff to live, simple deployments take a day to a week. Multi-site or multi-country deployments take two to four weeks. We've never had one take longer than six, and on the longer ones the lift is procurement and change management rather than technical integration. We work with your operations lead for an hour to understand the call flow, provision the platform, run a parallel test for a day or two, and flip traffic over. For a deeper look at the picture across a contact centre, our guide to secure payments in contact centres covers the operational side. Book a demoand we'll run it against the same phone system and gateway you already use.