All three work with us. One is probably right for you.
Most UK businesses need to take a card payment over the phone at some point. A customer can't get to your website. They called to ask a question and decided to buy. You're chasing an overdue invoice. A donor wants to pledge on the spot. A patient needs to pay their excess. It's routine business — but the moment the card number leaves the customer's mouth and hits your ear, you've changed your compliance position.
PCI DSS treats any place card data touches as in scope. That includes your agent's headset, your telephony, your call recording, your CRM notes, and any paper the agent wrote on. An unprotected phone payment puts you in SAQ D — 329 controls, annual audits, mandatory training, documented evidence for every touchpoint. Most businesses taking a few phone payments a week shouldn't be running an SAQ D programme, and most don't realise they're meant to.
The fix isn't to stop taking phone payments. It's to stop the card data reaching you. That's what we do.
Pick the one that fits the call. All three drop you to SAQ A.
Your agent stays on the call. The customer keys their card on their own phone. We mask the tones so the agent hears nothing identifiable. Good for sales calls, collections, and anywhere the conversation needs to carry on.
Read about agent-assisted payments →Fully automated. The customer calls a number, hears recorded prompts, and keys their card. No agent needed. Good for utility bills, council tax, subscriptions — anywhere the customer just wants to pay and go.
Read about IVR payments →You dial the customer — renewals, collections, chase — and take the payment on the same call. Same masking, same scope reduction, the other direction of call initiation.
Read about outbound payments →The obvious way — customer reads the card number, agent types it into a payment terminal or CRM field — puts you in full PCI DSS scope. That's not a theoretical compliance issue. It means every call recording with a card number in it becomes a protected asset. It means the agent's desktop is in scope, so is the network it sits on, so is the building, so is every screen someone could glance at. It means your annual SAQ is 329 questions, not 22.
It also means the customer is reading a 16-digit card number, a 3-digit CVV, and an expiry date out loud — usually in an open-plan office, a café, a car, their front room with the kids around. That's uncomfortable for them and bad for your conversion rate. The most polite customers go quiet and ask to call back later; the less polite ones say no thank you and end the call.
Every workaround we've seen businesses build — pause-and-resume recording, post-call redaction, "secure" rooms, headset muting — solves one piece and leaves the others. It's cheaper, faster, and safer to not take the card data in the first place.
Same call, same customer, same payment. Different compliance position.
| Area | Card data reaches you | Card data bypasses you |
|---|---|---|
| PCI SAQ | SAQ D — 329 controls | SAQ A — 22 controls |
| Call recording | In scope, redact every call | Card-data free, no changes |
| Agent workstation | Hardened desktop, locked build | Standard company laptop |
| Staff training | Annual mandatory PCI training | None required |
| Paper forms | Locked, tracked, shredded | Not needed |
| Annual audit | QSA-led, multi-day | Integration evidence only |
| Breach exposure | Every recording is a risk | Nothing sensitive to lose |
If you take phone payments more than occasionally, you're probably on this list.
Phone orders alongside your website. Customer couldn't check out online, rang the number, wants to pay. Sorted in a minute.
Wholesale orders, deposits, pro-formas paid by phone. The sales team closes the call and the payment in the same conversation.
Legal, accounting, consulting — invoices paid by phone after a service call. No more reading card numbers back to verify.
Co-pays, excess payments, treatment-plan instalments. Agent-assisted keeps the human in the loop through the payment.
High-volume routine bill payments. IVR handles the simple ones; agent-assisted handles the calls that need a person.
Donor pledges, recurring gifts, subscription renewals. Donors don't read their card to a volunteer on a landline.
Yes. It's legal, it's common, and most UK businesses need to do it at some point. The card schemes call it MOTO (Mail Order / Telephone Order) and your acquirer — Barclaycard, Worldpay, Tyl by NatWest, Elavon, or others — can enable it on your merchant account, usually as a separate MID or as a tick-box on an existing one. What's changed in recent years is how you can do it without landing in full PCI DSS scope. The short answer is: don't let the card number reach your agents, your recording, or your systems in the first place.
Writing a card number on paper isn't illegal, but it puts you in breach of PCI DSS — the card schemes' security standard you agreed to when you signed up with your acquirer. A breach can mean fines, elevated fees, or termination of your merchant account. More practically, any paper with a card number on it immediately becomes a PCI-scope asset: it needs to be locked, tracked, shredded, and documented. The cost of doing it properly usually outweighs the cost of not writing it down at all. Use a compliant capture method and skip the paperwork.
Yes. If your call recording captures a customer reading their card number out loud, that recording is now in PCI scope. You have to treat it the same as any other place card data lives — encrypted, access-controlled, retention-limited, evidence-logged. Redacting it after the fact isn't straightforward and isn't always accepted by auditors. The cleaner answer is to stop card data reaching the recording in the first place, which is what DTMF masking does.
An agent-assisted phone payment keeps a human on the call while the customer keys their card. Useful when the call needs a conversation — sales, collections, support, complex orders. An IVR payment is fully automated: the customer calls a number, a recorded voice walks them through, no agent involved. Useful for high-volume routine payments where the customer just wants to pay a bill and move on. Most businesses end up using both: IVR for simple recurring payments, agent-assisted for anything that needs a person.
Two costs. The first is your acquirer's transaction fee — MOTO interchange is roughly 0.1–0.3% higher than card-present because card-not-present fraud risk is higher. Your acquirer sets this, not us. The second is the technology for keeping you compliant — which is where we come in. We charge per transaction or per seat depending on volume. Both together are almost always cheaper than running your own PCI DSS SAQ D compliance programme, which is where you land if you take the card number directly.
Card-not-present transactions carry full chargeback liability on you — there's no signature or PIN to show the issuer the customer authorised it. Dispute rates tend to be higher on phone payments than in-person. You can mitigate with 3DS2 where the customer can authenticate via their banking app, fraud screening, and clear call scripts that confirm the amount and reference. Our platform layers these in so you're not flying blind.
No. Our platform works with traditional PBX, SIP trunks, cloud phone systems (3CX, Genesys, Five9, Amazon Connect, NICE CXone, 8x8, RingCentral, Talkdesk), and plain office handsets. We integrate at the API or SIP layer. Most deployments go live within a week — the telephony side barely changes, because we drop into what you already have.
Tell us what your calls look like and we'll show you the simplest way to take the payment without card data reaching you. Most customers go live within a week on the phone system they already own.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia
Other ways to take payments in this channel.
Also called DTMF suppression. The customer types their card on their phone keypad. We mask the tones in the live audio so the agent doesn't hear them and the recording stays clean.
Learn moreTake Mail Order / Telephone Order payments without the card number reaching your agents, your recording, or your systems.
Learn moreYour agent stays on the live call while the customer keys their card. We mask the tones so no card data reaches the recording or the agent's audio.
Learn more