PCI DSS Level 1 Certified

MOTO Payments Secure card-not-present payments without the PCI scope

A MOTO payment (Mail Order Telephone Order) is a card transaction where the customer isn't physically with you and their card isn't either — typically by phone, email, or social-channel chat. The card schemes classify it as card-not-present, which means higher interchange and full chargeback liability for the merchant. Paytia handles the card capture so the number never reaches your agents or your systems, and your PCI scope drops from SAQ D (329 controls) to SAQ A (22). Works with your existing merchant account. Lives within our PCI DSS Level 1 environment.
Book a demoBook a demoTalk to us

TL;DR

MOTO payments are card transactions taken by phone, email, or chat — Mail Order / Telephone Order — and they're the riskiest card channel you can run because there's no chip-and-PIN, no 3DS2 by default, and chargeback liability sits with you. The fix is to keep card data off your agents and your recordings entirely: PCI DSS Level 1 capture, DTMF masking, tokenisation. That's how MOTO payments drop from PCI SAQ D (329 controls) to SAQ A (22), and how Pinnacle Group cut 95% of their PCI scope without changing acquirer.

Last updated: 29 May 2026

What a MOTO payment actually is

MOTO stands for Mail Order / Telephone Order. It's a card-not-presenttransaction where the customer gives you their card details over the phone, by email, or through a social-channel chat — neither the card nor the cardholder is anywhere near you. The term's a hangover from the catalogue-sales era, but the card schemes still use it and so do your acquirer, your processor, and your auditor.

It's different to in-person and online in a couple of ways that matter. There's no chip-and-PIN, no contactless tap, no signature — none of the friction that protects a card-present sale. And unlike online, there's no straightforward way to slot a 3DS2 step into the flow, because the customer is on a phone call rather than a checkout page. The card scheme sees the transaction as higher risk than either of the alternatives, prices it accordingly, and pushes the chargeback liability onto you.

Plenty of businesses still rely on it. Charities taking phone donations from older supporters. Housing associations collecting rent. B2B trade desks closing wholesale orders. Insurance and pensions renewals. Mail-order pharmacies. Medical billing. Solicitors and accountants invoicing by phone. Any business with a customer base that prefers a phone call to a website checkout — which, in 2026, is still most of them — runs a MOTO channel whether they call it that or not.

We've been building PCI-compliant phone payment systems since 2016 and MOTO is the workflow we know best. The rest of this page covers what makes it the riskiest card channel you can run, what compliance actually demands, and how to handle the call so your agent stays on the line and the card data doesn't reach your systems. If you'd rather skip to a demo, we'll show you the flow on a real call.

Why MOTO is the riskiest card-payment channel you run

Card-not-present fraud is the single largest category of card fraud loss in the UK, and MOTO sits at the sharper end of CNP. Online checkouts have 3DS2, device fingerprinting, browser signals, and a liability shift to lean on. Card-present has chip-and-PIN and the customer standing in front of you. MOTO has none of that — just a voice on a phone reading sixteen digits — which is why the card schemes price MOTO interchange roughly 0.1–0.3% above card-present and why your acquirer treats every dispute as your problem.

The fraud patterns we see most often on MOTO calls fall into four shapes. The first is the classic stolen-card delivery scam: a fraudster calls with card details they bought on the dark web, places an order, ships it to a drop address. By the time the genuine cardholder spots the transaction and files a chargeback, the goods are gone. The second is friendly fraud — a real customer places a real order, takes delivery, then disputes the charge with their bank and claims they never made the call. Without 3DS2's liability shift to fall back on, you absorb the loss almost every time.

The third pattern is card testing. Someone uses your phone line to check whether a stolen card number is live by running a small, low-value transaction. If it goes through, they move on to bigger purchases somewhere else. You're left with a string of one-pound and two-pound chargebacks that look trivial in isolation but pile up fast enough to push your chargeback ratio above the threshold your processor is allowed to tolerate. The fourth pattern is refund fraud: a caller places an order, rings back claiming a problem, and asks for the refund to land on a different card. Without a strict policy that returns money to the original method only, you can lose on both ends.

All of that is external attackers. The risk that businesses least want to think about is internal. If your agents can see or hear full card details — and on a traditional MOTO call they have to, otherwise they can't type them into the virtual terminal — a single dishonest hire can pocket dozens of card numbers in a shift. Stolen card data often surfaces months later, sold in batches, by which point tracing it back to your contact centre is nearly impossible. The hidden agent-exposure riskon a normal MOTO setup is the one we hear about most after the fact, usually from the compliance officer who's just spotted it on an audit.

Then there's everything that captures card data accidentally. Call recordings are the worst offender — most contact centres record for QA, training, and compliance, and most of them haven't worked out that every recording capturing a customer reading sixteen digits is now cardholder data. The recordings have to be encrypted, access-controlled, and retention-managed at the same level as a primary card database, because under PCI DSS that's what they are. Same goes for any paper order form sitting on a desk with a PANon it, any email a customer ever sent with their card number in it, any CRM note where an agent typed the digits into a free-text field. Email is the quiet one — it isn't encrypted by default, it sits in inboxes for years, and it gets backed up to systems nobody's ever included in their PCI scope assessment.

Attackers know all of this. The MOTO playbook isn't exotic. It's social-engineering customer service to read a card back so they can be sure they've got it right. It's phishing the recordings system. It's pretexting a refund. It's walking out with a clipboard. The reason MOTO fraud rates run higher than any other card channel isn't that the criminals are cleverer here — it's that the surface area you're defending is genuinely bigger, and most of it sits inside your own four walls.

What PCI DSS, SCA, and GDPR actually require for MOTO

Every MOTO transaction is in PCI DSS scope. There's no minimum-volume carve-out, no exemption for low-risk merchants, no allowance for "we only do a handful of phone payments." If you take card details by phone, the standard applies to you, and which Self-Assessment Questionnaire you have to complete depends entirely on how the card data is handled.

If your agents key the card number themselves into a virtual terminal — the traditional MOTO setup — you're on SAQ D. Around 329 controls, annual evidence, the heaviest reporting tier short of a full Report on Compliance. Your agent workstation, your call recordings, your CRM, your network, and any paper forms all sit inside the cardholder data environment, and every one of those becomes something you have to document and audit. If you route the capture through a PCI-certified provider so card data never reaches you — DTMF masking, channel separation, agent-assisted — you drop to SAQ A, which is around 22 controls. PCI DSS v4.0.1 sharpened the language on this further: any system component that can affect the security of cardholder data is in scope, so a recording system that captures DTMF tones counts even if it never stores the digits as text.

Strong Customer Authentication under PSD2 is the rule for online card payments in the UK and EU — two factors, every time, with a handful of exemptions. MOTO is one of the exemptions, but it's not a free pass. Acquirers expect you to flag the transaction with the correct MOTO indicator when you submit it, run additional fraud screening to compensate for the missing authentication step, and keep your PSD2documentation up to date. The exemption exists because there's no realistic way to make a customer scan a fingerprint or approve a push notification while they're mid-call. It doesn't exist because MOTO is low risk; it exists because the protocol won't fit.

Where 3DS2can be brought in — typically when the customer has a mobile to hand during the call and can approve a step-up on their banking app — using it gives you the liability shift you'd otherwise be missing. We apply 3DS2 wherever it's available and fall back to fraud-screening rules where it isn't, so the transactions most likely to dispute later get extra scrutiny up front.

GDPRsits over the top of all of this. Card details are personal data, the lawful basis for processing is contract performance, and the principles of data minimisation and storage limitation apply directly to your call recordings. The cleanest answer is to not store card numbers in the first place — no card data in your environment means no retention question, no subject access request that includes a PAN, no breach-notification trigger when a backup tape goes missing. The second cleanest answer is to pause recordings during the payment portion of the call, which most contact-centre platforms support but many haven't configured.

MOTO and PCI DSS scope

A MOTO call without protection is a PCI nightmare. With us, it's an SAQ A line item.

PCI DSS Level 1 Service Provider certification

PCI DSS Level 1

We carry the highest level of PCI certification. Plug us in and your scope drops the moment the card data stops reaching you.

A typical unprotected MOTO call puts your call recording, your agent's desktop, your CRM notes, and any paper forms in PCI scope. Every one of those becomes a control you have to document, audit, and staff. With Paytia, card data never reaches any of them. Your SAQ shortens from 329 controls to 22. Your recording system drops out of scope entirely because there's no card data in the audio to protect.

AreaWithout PaytiaWith Paytia
Self-assessmentSAQ D (329 controls)SAQ A (22 controls)
Call recordingsContain card data — redact or pauseCard-data free
Agent workstationIn scope, full lockdownOut of scope
Annual auditFull QSA assessmentEvidence of integration only

How to take MOTO payments without absorbing the risk

The principle is simple: if the card number never reaches your environment, almost none of the risk reaches it either. Your agents can't leak data they never had, your recordings can't capture tones they never received, your CRM can't store digits nobody typed into it, and your auditor has 22 controls to check instead of 329. The whole modern MOTO stack is built around getting card capture out of the parts of your business where it doesn't belong.

On the phone leg, the right answer for almost every contact centre is DTMF masking. The customer types their card on their own phone keypad. Each tone is intercepted and replaced with a flat sound before it reaches your agent or your recording system. The agent stays on the call the whole time, talks the customer through it, and confirms the result when authorisation comes back. From the customer's side it feels like any normal phone payment. From your auditor's side, the audio has no card data in it.

Channel separation takes the same idea a step further on calls where the agent shouldn't be in the room with the digits at all. The card capture happens on a separate audio path that bypasses the agent's line entirely. Useful for higher-value transactions, regulated industries, and anywhere the threat model includes the agent themselves. Agent-assisted sits between the two — the agent keeps the call going, the customer keys the card, and the agent sees only a masked progress indicator on screen.

For mail-order and email-order workflows, the answer is to stop accepting card details in writing at all. We send the customer a secure payment link by SMS or email; they tap through to a hosted payment page in our PCI environment, type the card themselves, and the confirmation lands back in your system as a token plus an authorisation code. The order form on your end never sees a card number. The same flow handles refunds, top-ups, and ad-hoc payment requests without you ever opening an email that contains a PAN.

Where the card goes once we've captured it depends on what you already have. We pass the authorisation request straight to your existing acquirer — Barclaycard, Worldpay, Tyl, Elavon, Adyen, whichever — so your pricing, your settlement, and your reporting don't move. What does move is what gets stored where. We tokenisethe card inside our vault and return a token your systems can use for refunds, repeat charges, or anything else you need to do with that customer later. The real PAN never leaves our environment. The agent never sees it. The recording never hears it. The CRM never stores it. That's what good looks like for a 2026 MOTO operation.

Who's actually running MOTO payments in 2026

A lot of people assume MOTO is a fading channel because online checkout exists. It isn't. The businesses we onboard every month tell the same story: the phone channel is growing, not shrinking, and it's doing so in the verticals where customer trust matters more than checkout convenience. The B2B trade desk taking a £40,000 order doesn't want a payment link bounced through three approval emails — they want to confirm the deal on the call. The 78-year-old donor giving £200 to their local hospice charity isn't opening a checkout page on their laptop; they're reading their card to a volunteer over the phone. The mail-order pharmacy serving rural pensioners gets card details on the back of an order form. All of that is MOTO, all of it is in PCI scope, and very little of it is being handled the way the card schemes expect.

The verticals where MOTO is the dominant card channel haven't really shifted in a decade. Charities and not-for-profits run phone-donation campaigns through the autumn fundraising window — Macmillan, the British Heart Foundation, smaller regional charities, all of them. Housing associations and local-authority rent collection still happens by phone for tenants who don't bank online. Insurance brokers take card payments mid-call for renewals and adjustments because the customer's already on the line about something else. B2B wholesale trade desks close orders by phone because the price and quantity are being negotiated live. Travel agents — independent ones, not the OTAs — book ferries, cruises, and group trips with card details given verbally. Mail-order pharmacies, medical billing, solicitors invoicing clients, accountants taking advance fees, utility companies handling supply-disconnect payments. Every one of these runs a MOTO channel whether they call it that or not.

Pinnacle Groupis the example we point most prospects at. They're a UK facilities-management business with a multi-site contact centre taking card payments for housing-association rent, social-care contributions, and various local-authority schemes. Before they came to us they were taking MOTO calls on a traditional setup — agents typing card numbers into a virtual terminal while the call was being recorded for QA. Every recording was effectively a PCI asset, the whole agent estate was in scope, and their PCI auditor was charging accordingly. We took the card capture off the agents using DTMF masking, dropped them from SAQ D to SAQ A, and removed 95% of their PCI scope at a stroke. The recordings became card-data-free, the agent workstations dropped out of scope, and the auditor's evidence pack shrank to a fraction of what it had been. None of their callers noticed any change to the experience.

The point isn't that Pinnacle's setup was unusually risky — it's that almost every MOTO operation we see for the first time looks like that. The auditor knows it's a problem, the compliance officer knows it's a problem, the head of contact centre knows it's a problem, and nobody's had the budget or the platform choice to fix it. The reason the SAQ A picture exists is because the card schemes designed an explicit off-ramp for businesses that route capture through a certified provider. Most MOTO merchants haven't taken it yet. We exist to make that off-ramp the obvious choice.

Call recordings: the quiet PCI problem nobody planned for

Almost every contact centre records calls. It's a regulatory expectation in financial services, a quality-assurance baseline in customer service, and a sales-training tool in B2B. Most teams set up their recording platform years before they thought of MOTO payments as a PCI issue, and the two systems have never really been reconciled. The result is that the recording platform — which lives in someone else's remit, usually IT or operations — has been quietly capturing cardholder data on every payment call for years.

Under PCI DSS, a recording that contains an audible PAN — or even DTMF tones that encode one — is cardholder data. That makes the recording platform part of your cardholder data environment, which makes the storage encryption, access controls, retention policies, backup tapes, disaster-recovery copies, and audit logs all in scope for assessment. PCI DSS v4.0.1 sharpened the language around "system components that can affect the security of cardholder data" specifically to close the loophole some operators were using to argue that recordings of digits-as-tones somehow didn't count. They do. The standard is explicit.

There are three ways out of the problem. The first is to pause recording during the payment portion of the call — most CCaaS platforms support this through a "pause/resume" API hook, but the operational discipline to use it reliably across hundreds of agents is brittle. One forgetful agent, one mis-configured campaign, one workflow change that drops the pause event, and you're back in scope without realising. The second is to redact the cardholder data after the fact using a recording-scrubbing tool. This works but it's an arms race against false negatives, and the unredacted version still has to live somewhere until the scrubber runs.

The third — the one we recommend — is to remove the card data from the audio path at source. With DTMF masking applied on the phone leg, the tones that reach your recording system are flat: the customer's keypad presses are intercepted and replaced before they touch your network. There's nothing to redact, nothing to pause, nothing to scrub, because there was never cardholder data in the recording to begin with. The recording platform stays exactly where it is in your stack, runs the way it always did, and just drops out of PCI scope because the data it captures no longer includes a card number. That's the cleanest outcome and it's why DTMF masking is the foundation of every modern MOTO architecture.

MOTO vs IVR: which one do you actually want?

People often use "MOTO payments" and "IVR payments" interchangeably and they shouldn't. MOTO is the umbrella; IVR is one type of MOTO. The choice between them isn't about risk — both can be made fully PCI compliant — it's about what kind of conversation you want with the customer at the moment of payment.

IVR paymentsare fully automated. The customer dials a number — typically a dedicated payment line — and a recorded voice walks them through entering their reference, their amount, and their card details. No agent is involved at any point. IVR works brilliantly for high-volume, low-touch payment flows: utility bill collection, recurring rent payments, fixed-price renewals, anywhere the conversation has nothing left to add. The customer doesn't want a chat; they want to pay and get on with their day. IVR is cheaper per transaction because the agent time disappears entirely.

Agent-assisted MOTO is what most of our customers run. The agent stays on the call from the first hello to the goodbye, the customer types their card on their own keypad with DTMF masking applied, and the agent confirms the result when authorisation lands. Agent-assisted is the right choice whenever the payment is part of a larger conversation — answering questions, handling objections, upselling, dealing with disputes, collecting card details mid-troubleshoot. The customer doesn't get hung up on, transferred, or dropped into a phone tree at the moment they've decided to pay; the agent walks them through it without ever hearing the digits.

The two aren't mutually exclusive. Plenty of our larger customers run both: agent-assisted on their main contact-centre line, IVR on a dedicated payment line for callers who already know what they want to pay. The PCI architecture is the same in both cases — capture happens in our environment, the card data never reaches your systems, your scope sits at SAQ A. The only thing that changes is whether there's a human voice on the call.

Where MOTO fits in your stack

MOTO sits on top of whatever phone system you already run. We don't replace your telephony, your CCaaS platform, your PBX, or your agent desktop. If you're on a traditional ISDN line into an on-prem switch, we hook in. If you're on a cloud contact centre — Genesys, Talkdesk, 8x8, RingCentral, Five9 in the UK, NICE, whatever — we hook in. The integration is at the call-leg level for DTMF masking, or via API for the secure-link and agent-assisted flows, so you don't have to rip anything out to get the scope reduction.

The gateway side is the same story. We route authorisation requests to your existing acquirer or processor — UK clearing banks, the usual independents, Adyen, Worldpay, the lot. You keep your merchant ID, your pricing, your settlement schedule, your existing reporting. The only thing that changes is that the PAN comes from our vault rather than from your CRM. Multi-currency works the way it already does in your gateway; we don't add anything on top.

A handful of edge cases come up often enough to call out. International cards work the way they always have, except the customer keys their CVV directly so it can't go astray in transit. Refunds run through the original payment method via the token, so you stay on the right side of the card schemes' refund-fraud rules without having to remember which card the original charge landed on. Recurring MOTO — subscription renewals, instalment plans, pay-as-you-go top-ups — uses the token from the first call for every charge after that, so the customer reads their card once and never again.

Most customers are live within a week. Agents don't need training because there's nothing for them to learn — the call flow looks the same to them, just with a "Take payment" button that doesn't ask them to read digits back. If you want to see the whole thing on a real call, we'll walk you through it, or you can tell us what your stack looks likeand we'll work out the shape of the integration before you commit to anything.

What changes for your team after you go live

We're going to be straightforward about this: from the customer's perspective, almost nothing changes. They ring the same number, talk to the same agent, hear the same hold music, and at the point of payment they're asked to type their card into their handset instead of reading it out loud. Some customers don't even notice the difference because they were already typing it (mobile callers using the keypad are common). The few who do notice tend to say something like "oh, that's clever" and the call continues.

From the agent's perspective, the change is small but useful. They no longer have to read the card number back to the customer to confirm it (because they don't see it), they no longer have to worry about background noise on the recording capturing digits, and they no longer have a virtual-terminal screen to fumble with mid-conversation. The "Take payment" button in their workflow does the rest. Agents who've worked in PCI-conscious contact centres usually appreciate not being a single point of audit failure anymore.

For the compliance officer and the auditor, the change is dramatic. Annual evidence collection shrinks from a months-long exercise covering hundreds of controls across the contact-centre estate to a focused check on the integration with us. Your CNPtransaction reporting becomes simpler because the merchant identifier and acquirer relationships don't change — only the capture layer does. Penetration tests that used to cover the agent workstation network can be scoped down. Staff PCI training, while still required, can focus on customer-facing behaviour rather than card-handling because there's no card handling left to train on. We publish a Section 12.8 service-provider responsibility matrix that drops straight into your auditor's evidence pack — the part that explains which controls Paytia owns and which controls you still need to demonstrate.

On the cost side, the maths usually works out favourably. The Paytia subscription is offset by the reduction in QSA assessment time, the smaller scope of your annual penetration test, the simpler agent estate (you don't need a hardened, isolated, secure-room environment for staff who never see card data), and — for businesses that have ever had a near-miss with a breach — the dramatic reduction in your potential exposure. We have customers who've eliminated 80%+ of their PCI compliance line items in their internal cost models. For anyone running a PCI-compliant call centreat scale, that's the kind of number that justifies the project on its own.

What MOTO payments with Paytia won't solve

We're honest about this because it saves everybody time. Removing card capture from your agents fixes the PCI scope problem and the agent-exposure problem, and it materially reduces your call-recording problem. It does not, by itself, fix every fraud problem you have on MOTO, and it doesn't make the chargeback liability go away.

Friendly fraud — a real customer disputing a real transaction — still happens, and on MOTO you still don't have the 3DS2 liability shift to fall back on for most calls. We can apply 3DS2 where the customer has a mobile to hand mid-call, which helps, but it's not always available. The right answer for friendly-fraud resilience is good operational discipline: clear order confirmations, sensible refund policies, recorded customer authorisation of the order details (which is now safe to record, because the digits aren't in the recording), and a chargeback-response workflow that gets representment evidence in front of your acquirer within the deadline.

We're not a fraud-screening platform either. We pass transactions to your acquirer for authorisation and your acquirer's fraud rules apply. If you're seeing higher-than-expected fraud rates, the answer is usually some combination of velocity rules at your acquirer, BIN-block lists for known-bad ranges, and CVV/AVS checks in your authorisation flow — not anything Paytia does. We'll point you in the right direction during onboarding but we don't replace a dedicated fraud-screening layer if you genuinely need one.

And we won't make your PCI DSS complianceobligations disappear. You'll still complete an SAQ each year, you'll still need staff training, you'll still need network security on the systems we don't take out of scope, and you'll still need a security incident response plan. The scope is just dramatically smaller and the evidence is dramatically easier to collect. That's a big difference but it isn't the same as "we make PCI go away" — anyone who tells you they can do that on a MOTO operation is selling you something that doesn't exist.

The MOTO mistakes we see most often

After nearly a decade of onboarding MOTO operators, a handful of mistakes show up over and over. The first is treating MOTO payments as a side channel that doesn't need the same compliance investment as the main e-commerce checkout. It does — usually more, because the controls have to compensate for the missing 3DS2 layer and the human-in-the-loop risk that online checkout doesn't have. The MOTO line is rarely the highest-volume revenue stream, so it gets less attention from product and compliance teams; that's exactly why it ends up being the unaddressed liability when an audit lands.

The second is assuming pause-and-resume on call recording is enough. It isn't. Operationally it depends on every agent remembering to trigger the pause, the pause API firing reliably across every campaign, and the recording platform actually honouring it on every leg of a transferred call. We've audited operations where the pause worked 94% of the time — which sounds high until you realise that means 6% of payment calls still have card data in the recording, and you can't tell which 6% without going through every call. The card schemes don't grade on a curve.

The third is relying on agent training as the primary control. PCI training is necessary but it's not sufficient. A trained agent who reads a card number aloud, types it into a free-text CRM field, writes it on a Post-it, or repeats it back over a recorded line has put you in breach even if they meant well. The card schemes designed the SAQ A off-ramp because they know human controls fail at the rate humans fail at — which is high enough that the standard explicitly recommends taking the human out of the data path. That's what we do, and it's why every conversation we have with a serious MOTO operator ends in the same place.

Frequently asked questions

What is a MOTO payment?

A MOTO payment is a card transaction where the cardholder isn't physically with you and their card isn't either. MOTO stands for Mail Order / Telephone Order — the original category the card schemes used for catalogue orders, phone sales, and invoice payments. Today it covers anything where the customer reads or keys their card details across a phone line, an email, a social-channel chat, or a written order form. The card schemes treat MOTO payments as card-not-present (CNP), which means higher interchange rates and full chargeback liability for you.

Are MOTO payments PCI compliant?

MOTO payments can be PCI compliant, but the default setup almost never is. The moment an agent hears, types, or writes down a card number — or a call recording captures DTMF tones with the digits embedded — you're in full PCI DSS SAQ D scope with 329 controls to evidence every year. To make MOTO genuinely PCI compliant, you need to route the card capture through a PCI DSS Level 1 certified provider so the digits never touch your agents, your recordings, your CRM, or your network. That's how you get to SAQ A with 22 controls.

How does MOTO differ from CNP?

CNP — card-not-present — is the umbrella term the card schemes use for any transaction where the physical card isn't being read by your terminal. MOTO is one specific channel inside CNP. The other big CNP channel is e-commerce (online checkout). The difference matters for two reasons: e-commerce has 3DS2 and the liability shift that comes with it; MOTO doesn't, except in the narrow cases where the customer has a mobile handy mid-call. And the merchant category code your acquirer assigns is different, which changes your interchange fee and your fraud-screening rules.

What's the highest-risk part of a MOTO payment?

The agent. Every other risk in MOTO — call-recording exposure, CRM notes, paper forms, email attachments — can be solved with technology. Agent exposure is the one that can't, because as long as your staff can hear or see full card details, a single dishonest hire can walk off with dozens of PANs in a shift. That's why the strongest MOTO architectures keep the card capture entirely off the agent's audio path and screen. DTMF masking handles the audio side; channel separation handles the screen side; together they remove the agent from the threat model.

Do I need SAQ A for MOTO payments?

SAQ A is the lightest PCI self-assessment questionnaire and it's the one you should be aiming for if you take MOTO payments. To qualify, you have to outsource all storage, processing, and transmission of cardholder data to a PCI DSS validated third party — meaning the card digits never touch your systems. If your agents still type card numbers into a virtual terminal, you can't claim SAQ A; you're on SAQ D with the full 329-control burden. Plugging Paytia into your phone leg is what lets you legitimately claim SAQ A on your next audit.

Can MOTO be done over Zoom or Teams?

Yes — and it's increasingly common. Sales teams, B2B trade desks, and consulting firms close a lot of deals on Zoom or Teams calls where the customer wants to pay there and then. The PCI rules are identical to a phone-based MOTO call: as soon as someone reads card details into a video call, the recording, the platform, and anyone on the call are all in scope. The clean answer is the same as on the phone — send a secure payment link through chat during the call, the customer types the card on their own device, you stay in the meeting, and nothing card-related is captured in the recording.

What's the difference between MOTO and IVR payments?

IVR is one flavour of MOTO. A MOTO payment is any card-not-present transaction taken over a phone or written channel. An IVR payment is specifically a MOTO payment taken by an automated voice response system with no agent on the call. If you want the agent to stay on the call and help the customer through, that's agent-assisted MOTO with DTMF masking. If you want it fully automated, that's IVR. Both are MOTO, both use the same card schemes, both need the same PCI thinking — see our IVR payments page for the automated flow.

How does Paytia secure MOTO payments?

We sit between your phone system and your payment gateway. When the customer reads or keys their card, the digits are captured inside our PCI DSS Level 1 environment — DTMF tones are masked before they reach your agent or your recording, and the card number is passed straight to your existing acquirer for authorisation. We tokenise the card so you can use it for refunds, repeat charges, or recurring billing without ever storing the PAN yourself. Your agent stays on the call the whole time, your recording stays card-data-free, and your PCI scope drops from SAQ D to SAQ A.

What's the difference between MOTO and card-present payments?

Card-present means you've got the card and the cardholder in front of you — chip and PIN, contactless, swipe. MOTO means neither the card nor the cardholder is with you; the customer shares their details remotely. Interchange fees for MOTO run roughly 0.1–0.3% higher than card-present because card issuers see MOTO transactions as higher fraud risk, and chargeback liability sits with you rather than the customer's bank.

Can MOTO payments be recurring?

Yes, and they often are. We tokenise the card on the first transaction and use the token for every subsequent charge — subscriptions, payment plans, instalments, renewal invoices. The customer only reads or keys their details once. Every charge after that runs off a token that lives in our environment, not yours, so you can bill every month without storing a single card number.

Do I need a special merchant account for MOTO?

You need a merchant account set up for card-not-present transactions. Most UK acquirers (Barclaycard, Worldpay, Tyl by NatWest, Elavon, and others) offer MOTO as an add-on to a standard card-present account, sometimes as a separate MID. Pricing is usually a per-transaction uplift. We plug into any of them — you keep your existing acquirer, we handle the capture and tokenisation layer on top.

Does MOTO work with 3-D Secure?

Yes — 3DS2 works for MOTO where the customer has a mobile handy for the authentication step. Where they don't, MOTO falls back to non-authenticated CNP, which is why fraud screening and tokenisation matter more. Our platform applies 3DS2 when it can and flags high-risk transactions when it can't, so you're not flying blind on fraud.

Elavon recommended Paytia; we didn't look back. Here was a solution that finally ticked all our boxes — and met our bank client's substantial security and compliance controls. It's been a great success.

Paula Griffiths

Head of Regional Operations, ICE International Currency Exchange

Read the case study →

Used by British American Tobacco · Howard Kennedy · CITB · Clinical Partners · Trinity Hall College

Since 2016

Building secure payments

PCI DSS Level 1

Highest certification

99.99%

Platform uptime

£400M+

Transactions processed

Ready to take MOTO payments without the PCI headache?

We'll walk you through how MOTO payments work on your existing phone system and gateway. Most customers are live within a week — your agents don't need training because there's nothing for them to learn.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoTalk to us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia

Related solutions

Other ways to take payments in this channel.

DTMF Masking

Also called DTMF suppression. The customer types their card on their phone keypad. We mask the tones in the live audio so the agent doesn't hear them and the recording stays clean.

Learn more

Agent-Assisted Payments

Your agent stays on the live call while the customer keys their card. We mask the tones so no card data reaches the recording or the agent's audio.

Learn more

Taking Card Payments Over the Phone

How to take card payments on a call legally, securely, and without landing in SAQ D. Covers agent-assisted, IVR, and outbound options.

Learn more