Telephone Payments

Secure phone payments — live, PCI-compliant card capture with your agents

Live-agent phone payments without the card data exposure. Your agents stay on the call, the customer enters digits on their own keypad, and Paytia keeps the card number out of agent earshot, off your screens, and out of your call recordings. PCI scope drops from SAQ D (329 controls) to SAQ A (22). Two approaches — DTMF Masking and Channel Separation — both PCI DSS Level 1 certified. Looking for self-service phone payments instead? See our IVR payments page.
Book a demoBook a demoContact us

On this page

TL;DR

Secure phone payments let your agents take card payments live on a call without the card number ever reaching them, your phone system, or your call recordings. Paytia does this two ways — DTMF Masking and Channel Separation — both PCI DSS Level 1 certified and both drop your assessment from SAQ D (329 controls) to SAQ A (22). Most customers are live in days, on their existing phone system and existing payment gateway.

Last updated: 27 May 2026

Contact-centre agents wearing headsets in a modern office

Two ways to take a secure phone payment

Both keep card data out of your business and drop you to SAQ A. The main difference is what your agents need to learn — with Channel Separation, nothing. With DTMF Masking, one click per call. Compare them side by side.

Single channelOne-click capture per call

DTMF Masking

Agent stays on the line throughout. Tones are masked in the live audio so the agent doesn't hear the digits but can keep talking the customer through. Agents press one button to start the capture, then watch a progress indicator — a small behaviour change, not real training.

Pick this if your agents handle complex calls and need to stay engaged through the payment step.

Read about DTMF Masking →
Two channelsZero agent training

Channel Separation

Agent's audio goes off-line during capture. Voice prompts run the flow on the customer leg and the call reconnects when the payment authorises. The agent does nothing during the payment step — the platform drives the whole thing — so there's nothing to learn and no new behaviour to enforce.

Pick this ifyou want zero agent training, your compliance team wants a hard physical separation for audit, or you'd rather agents had no involvement at all.

Read about Channel Separation →

When each one fits — and what changes on the call

The card cards above are deliberately short. The honest answer to "which should we pick?" comes down to three things: how complex your calls are, how much your compliance team wants a hard physical separation for audit, and how much appetite you have for changing what agents do during a call.

DTMF Masking keeps the agent on the line throughout. They're still talking to the customer when payment starts — "OK Sarah, I'm starting the secure card capture now, just enter your long card number on your keypad when you're ready" — and they can keep prompting if the customer stalls. The tones the customer presses are stripped from the audio before they reach the agent's headset, the call recording, or anything downstream. The agent sees a progress indicator: digits entered, expiry captured, CVV captured, authorising, approved. The whole flow takes about 40-60 seconds for someone reading off a card in front of them, longer if they're fishing it out of a wallet.

Operationally, that's one behaviour change for the agent: press a button to start the capture, watch the indicator, finish the call. We train new agents on it in about 10 minutes during their normal onboarding. The lift is light, and most contact-centre managers say the bigger win is what it lets the agent do during the payment — handle objections, answer a last-minute question about delivery, upsell — instead of putting the customer on hold while they juggle a separate payment page.

Channel Separation is the stricter posture. When payment starts, the agent's audio leg comes off the call. The customer hears voice prompts on their own leg ("please enter your long card number followed by the hash key"), the platform drives the whole flow, and when the payment authorises the agent reconnects to confirm and close the call. The agent literally cannot hear the digits because they're not on the call during capture. For a compliance team that wants to point at a hard physical separation rather than a software mask, this is the cleanest story to tell.

The trade-off is the conversational gap. The customer is alone with the voice prompts for the 30-45 seconds of capture, so the experience is closer to an IVR than a live agent call during that window. Most businesses pre-brief the customer ("I'm going to step off the line for about 30 seconds while you enter your card, and I'll be straight back to confirm") and that lands fine. If you're running collections calls where the customer is reluctant, or if the conversation matters right up to the moment of payment, DTMF Masking is usually the better fit. If your calls are transactional — a customer ringing to renew a subscription, pay an invoice, or top up an account — Channel Separation works just as well.

A pattern we see often: businesses with mixed call types run both. Inbound sales lines use DTMF Masking so agents can keep the conversation going. Outbound collections and high-volume renewal calls use Channel Separation so there's zero training overhead for the temps who come in at quarter-end. Both run on the same infrastructure, the same gateway integration, and the same SAQ A scope reduction, so you're not paying for two separate vendors or running two compliance stories.

What an agent actually does on each call

Worth sketching what a real call looks like, because most prospects ask "but what does my team need to do differently?" The answer is small for one method and nothing for the other.

With DTMF Masking, the agent takes the call as normal — greeting, conversation, basket build, all of it through their usual phone system and CRM. When the customer's ready to pay, the agent clicks a button on their existing softphone or CRM screen (we drop the button in wherever they already work, so there's no app-switching). The screen shows a small panel: "ready for card number," then "card number captured," then "expiry captured," then "CVV captured," then "authorising," then "approved — £146.50 to card ending 4242." The agent reads the confirmation back to the customer, completes any remaining wrap-up, and ends the call. Total agent action: one click, one read-back. The training conversation is genuinely 10 minutes — "here's the button, here's the panel, here's what each status means, here's what to say if the card declines."

With Channel Separation, there's nothing for the agent to do during capture. They'll usually say something like "I'll step off the line for about 30 seconds while you enter your card, and I'll come straight back to confirm" — and that's the entire script change. When the system completes the payment and the agent reconnects, the same authorisation result appears on their screen so they can confirm the amount and the last four digits. New starters don't need any payment-specific training at all because the agent isn't the one running the payment. The supervisor briefs the script change in five minutes and that's the end of it.

For supervisors and team leaders, the differences worth knowing are: DTMF Masking gives the agent a continuous live audio leg, so they can hear hesitation in the customer's voice and intervene ("take your time, the box is open as long as you need"). Channel Separation hands the customer to a voice-prompt flow that won't adapt to hesitation but will time out cleanly if the customer abandons. Both surface the same gateway response codes to the agent screen, so post-call wrap-up — recording the order, dispatching the goods, raising the invoice — is identical regardless of which method captured the card.

Other phone-payment products

The patterns above cover most of what businesses ask for. These fill in the rest.

IVR Payments

Automated 24/7 phone payments — no agent on the line, no card data on your systems.

Learn more

Mobile Payments

Take secure card payments from any smartphone or tablet. No card reader, no app to ship.

Learn more

Outbound Payments

You dial the customer for collections, renewals, or chase — and take the payment on the same call.

Learn more

Payment Chase

Automated payment reminders by email and SMS with smart scheduling and pay-now links.

Learn more

What it actually costs

Hands organising business documents and pricing papers on a desk

Two costs to think about, and they pull in different directions.

The first is your acquirer's transaction fee. MOTO transactions — what the card schemes call your phone payments — carry interchange roughly 0.1–0.3% higher than card-present because card-not-present fraud risk is higher. Your acquirer (Barclaycard, Worldpay, Tyl by NatWest, Elavon, whoever) sets this, not us.

The second is what you pay for the masking technology itself. Two common models: per-transaction pricing charges a small amount per masked payment (scales linearly, painful in a big sales month, watch the minimum monthly commitment), or per-seat pricing charges for each named user (predictable, gets expensive fast if you have 300 agents but only 50 take cards regularly).

The honest comparison isn't "Paytia versus running it yourself." It's the masking cost against the cost of staying in full PCI DSS SAQ D scope. A typical UK SAQ D audit for a 30-seat contact centre runs £15,000–£30,000 a year once you count the QSA assessor, ASV scans, penetration testing, and staff hours. Add infrastructure controls (hardened agent builds, segregated networks, locked-down recording) and annual staff overhead (training, attestation, role-based access reviews) and the all-in compliance bill for doing it yourself is usually £40,000–£80,000 a year for a mid-sized operation.

Moving to a certified provider for the capture step typically cuts compliance-related spend by 60–75% in the first year. The full breakdown is at how much does PCI compliance cost. We'll quote you a real number against your real call volume — book a call and we'll model it.

A worked example: 30-seat contact centre, 500 phone payments a month

Concrete numbers usually clear the fog. Take a 30-seat UK contact centre processing 500 card payments a month at an average ticket of £180 — annual phone-payment turnover around £1.08M. This is roughly the median Paytia customer.

Before Paytia, the maths for staying SAQ D typically runs like this: QSA assessor (annual) £8,000–£14,000, ASV scans (quarterly) £1,200, penetration testing (annual) £6,000–£10,000, hardened-build maintenance and patching for the agent estate £4,000, segregated network and locked-down recording controls £6,000, internal compliance time at roughly 0.4 FTE £18,000. All-in: about £45,000–£55,000 a year just to maintain the controls SAQ D requires. None of that touches transaction fees — it's pure compliance overhead.

After moving to Paytia (the capture descopes you to SAQ A): QSA assessor drops to £2,500–£4,000 for the SAQ A self-assessment review, ASV scans aren't required in scope, pen-testing scope narrows to the residual surface (usually £2,000–£3,000), the hardened-build and segregated-network controls largely fall away, internal compliance time shrinks to roughly 0.05 FTE £2,250. Annual compliance overhead lands at about £8,000–£11,000.

Paytia's own cost on 500 monthly transactions sits in the £400–£700/month range depending on which model you pick and what other bits you take (outbound, tokens for repeat collections, IVR alongside live agents). Call it £6,000–£8,400 a year. Add that to the new compliance footprint and your total all-in is £14,000–£19,400. Versus £45,000–£55,000 before. The saving in year one usually pays for the platform several times over and frees up the IT and compliance hours that used to be spent on hardened agent workstations and quarterly ASV remediation.

The bigger you are, the wider that gap gets — a 100-seat operation taking 2,000 payments a month sees an even larger absolute saving because SAQ D overhead scales with seats but the Paytia platform fee scales much more gently. The smaller you are, the closer the numbers run; if you're a 5-seat practice taking 40 payments a month the platform fee is most of the bill and the compliance arbitrage is smaller (though still positive once you factor in the time you don't spend on assessor questionnaires).

How a typical deployment runs

Most teams ask the same question at the demo: "what does the first month actually look like?" Here's the rhythm we run, week by week. It assumes a contact centre of 20-50 agents on a mainstream phone system (3CX, Aircall, Talkdesk, Zoom, Genesys, Five9, NICE CXone, 8x8, Amazon Connect, RingCentral) and an existing UK payment gateway (Stripe, Worldpay, Adyen, Braintree, Barclaycard, Tyl by NatWest, Ryft). Smaller setups go faster; large multi-site rollouts take longer to schedule but follow the same shape.

Week 1 — scoping and gateway connection

First conversation is technical and short: which phone system, which gateway, which call flows you want masking on (inbound only, outbound, both), and what your current PCI assessment looks like. Most of the answers come from one person on a 30-minute call.

While that's happening, we connect your payment gateway. If you're on Stripe, Worldpay, Adyen, Braintree, Barclaycard, Tyl by NatWest, or Ryft, the connection is a credentials swap — your merchant account stays exactly as it is, you don't renegotiate rates, you don't open new bank facilities. The first test transaction usually goes through inside an hour of getting the keys.

Week 2 — phone system integration and call routing

This is where the work happens. Depending on your phone system, we either drop a SIP trunk in front of your existing setup, connect through the platform's API (Aircall, Talkdesk, Amazon Connect all have first-class integrations), or sit alongside a CCaaS like NICE CXone via a published connector. The pattern is the same: when an agent triggers a payment, the call routes through our PCI environment for the capture window, then routes straight back. The rest of the call — greetings, conversation, follow-up — never touches us.

We test the routing first with internal numbers, then with one or two pilot agents, then ramp. Most customers see a working capture on a real test call inside this week.

Week 3 — agent training and soft launch

For DTMF Masking, agents need about 10 minutes of training. The whole change is: press a button to start the capture, watch the progress indicator, finish the call as normal. We run it as part of a regular team huddle, not a separate course. For Channel Separation, training is zero — the agent doesn't do anything during capture, so there's nothing to teach.

The soft launch usually runs 3-5 days on one team or one call type. Real customer calls, real money, but with a manager listening in for the first dozen or so to catch anything awkward in the script. Almost always the awkwardness is in the agent's wording ("er, I'm going to start the secure payment now, hold on") rather than the system itself, and that smooths out fast.

Week 4 — full rollout and PCI scope reduction

Once the pilot team is comfortable, we open up the rest of the agents. There's no per-agent provisioning — they all get access the same way they got access to any other call routing. Most contact centres are taking 100% of their phone payments through the new flow by the end of week four.

Then the PCI conversation. Your QSA or internal compliance lead reviews the new architecture, confirms that card data no longer enters your environment, and re-scopes your assessment. Most businesses move from SAQ D (329 controls) to SAQ A (22 controls) at their next annual assessment. We give you our attestation, the architecture diagrams, and the bits of paperwork your QSA will ask for. The actual re-assessment is on your assessor's calendar, not ours, but the heavy lifting is done.

The change-management side — what makes rollouts stick

The technical install is the easy half. Where rollouts get stuck is the people side — agents who've been reading card numbers off a screen for years, supervisors who've built quality-monitoring scripts around the old flow, and team leads who've been the gatekeepers for the pause-and-resume mechanism. Three things consistently make the difference between a deployment that lands in week 4 and one that's still half-adopted in month three.

First, brief the floor before the change, not on the day. Agents react badly to surprise process changes, especially around money. A 15-minute team-briefing a week ahead — "here's why we're changing this, here's what your call will look like, here's what to say to the customer" — does more for uptake than any amount of post-launch training. The brief should come from the operations manager, not from IT or compliance, because the agents need to hear that this is about making their job easier (no more reading numbers back, no more pause-and-resume button to remember, no more nervously hoping the recording suppression worked), not about ticking a box for the auditor.

Second, give supervisors a clean script change to enforce. The agent's wording during the payment step is the single biggest source of awkwardness in the first week. We supply a script card — about half a sheet of A4 — with the exact phrasing for the handover ("I'm starting the secure card capture now, please enter your long card number on your keypad when you're ready"), a fallback line for if the customer hesitates, and a recovery line for declines. Supervisors who pin this to the agent screen for the first fortnight see uptake stabilise faster.

Third, run an internal comms note before launch. Most contact centres have a customer-facing layer — a FAQ on the website, an automated holding message, sometimes an outbound email to existing customers — and one or more of those usually mention "our agents will ask for your card details over the phone." Update that wording before go-live ("you'll be asked to enter your card on your own phone keypad, securely" is what most customers expect to read now anyway) so the customer's expectation matches what the agent says when the moment comes. It's a small change that prevents a class of confused-customer calls in the first week.

Adoption typically follows a predictable curve: 60% of agents are comfortable in week one, 90% by the end of week three, and the last 10% are usually a handful of long-tenured agents who've had ten years of muscle memory around the old way. They come round, but often need a one-on-one with their team leader rather than a group session. Plan for that.

Beyond week 4 — what changes for you

The thing nobody warns you about: once card data stops flowing through your contact centre, a lot of the controls you've been maintaining stop being necessary. Locked-down agent workstations, segregated network zones, quarterly ASV scans on the contact-centre subnet, role-based access reviews on the recording archive — most of that goes away or shrinks to a much smaller footprint. The first time your IT lead notices they're not patching a separate hardened build for the payments team, they'll send you a thank-you note.

Why take phone payments through Paytia

Team reviewing a project on a laptop in an office

Phone payments are still where most businesses leak PCI scope. If you take card payments over the phoneand your agents hear the numbers, your call recordings probably capture them, and once that happens PCI DSS starts applying to most of your contact centre — not just the payment step. Pause-and-resume recording is fragile, secure rooms don't work for hybrid teams, and sending customers to a separate link kills the call.

Paytia sits between your phone system and your payment gateway, and we've been running secure phone payments for UK contact centres since 2016. When it's time to pay, the customer enters their card on their own keypad. We either suppress the tones in the live audio (DTMF Masking) or split the call into two channels during capture (Channel Separation) — either way, your agent never hears the digits, your recording captures nothing sensitive, your systems never touch the card. The payment processes through your existing gateway (Stripe, Barclaycard, Worldpay, Adyen, Tyl by NatWest, Ryft, and others), so you don't switch merchant accounts.

Most customers are live within days. PCI scope drops from SAQ D (329 controls) to SAQ A (22 controls), and the call experience stays the same for your customers. For the underlying definition, see secure telephone payments.

Still working out which approach fits your call volumes? Our write-up on IVR versus agent-assisted payments covers when self-service IVR makes sense, when an agent on the line earns its keep, and how most teams end up running both side by side.

What our UK customers have done with this

A UK insurance broker we work with — about 80 agents across two sites, taking renewals and new-business premium payments — was on SAQ D, pause-and-resume recording, and three full-time staff dedicated to PCI controls and the annual QSA cycle. Their auditor had flagged the pause-and-resume mechanism as a control they weren't comfortable signing off on for another year. They moved to Channel Separation across both sites in six weeks. The pause-and-resume disappeared, the recording stayed clean for compliance and dispute purposes, and the next assessment came in as SAQ A. The compliance team reallocated two of those three roles onto fraud and underwriting work.

A UK veterinary group running a central booking and payments line — about 25 agents, mostly inbound — switched in under three weeks. Their constraint was clinical conversation: vets and nurses calling the line to take payment for treatment plans need the customer to stay engaged because there's often a follow-up question ("do you want the bloods done on the same visit?"). DTMF Masking was the fit — agents stay on the call throughout, the customer keys their card while the conversation continues, and call recordings stay intact for clinical-governance review. Card data never enters the recording, so the recording archive came out of PCI scope at the next assessment.

A UK utilities collections operation, working an outbound dialler for missed direct-debit chase calls, was the unusual case: their problem wasn't agent training or audit, it was conversion rate. They'd been sending payment links by SMS mid-call, and roughly 28% of those payments weren't completing — customers got distracted, hit 3DS challenges, gave up. Switching to DTMF Masking on the live call lifted same-call completion to 91% inside the first month. The PCI scope reduction was almost a side benefit; the line-of-business case was the collections recovery rate going up.

Industries we work with

Phone payments show up in almost every industry, but the shape of the call — and the compliance pressure around it — looks different depending on what you sell. Since 2016 we've processed over £400M in card payments for UK businesses, and these are the five sectors we see most often.

Contact centres and telecoms

High call volumes, mixed call types, and usually the most aggressive PCI scope. A 50-seat contact centre handling subscription renewals, account top-ups, and inbound sales will typically take 200-500 card payments a day, and every one of them used to mean an agent reading numbers off a screen with a recording running. Channel Separation is the most common fit here because the training overhead on a workforce that turns over every six months is real. A typical operational example: a broadband ISP routing inbound "upgrade my package" calls and outbound late-payment chase calls through the same agent pool — both call types get card capture without the agent or the dialler ever touching the digits. More on contact centres and telecoms.

Healthcare

Private clinics, dental practices, veterinary, physiotherapy, aesthetic clinics — anywhere a patient pays by phone for an appointment, a treatment plan, or a follow-up. The compliance pressure here isn't only PCI; it's also patient confidentiality and call-recording controls under GDPR and the Caldicott principles. Card data getting captured in a clinical call recording is a double exposure. DTMF Masking with call recording intact is usually the fit because clinicians want the conversation continuous. A typical operational example: a dental group taking a £950 deposit for an implant consultation while the clinician explains the treatment plan — the conversation never pauses, the recording stays clean for clinical-governance review, and the card data goes straight to the gateway. More on healthcare.

Financial and professional services

Wealth managers, accountancy practices, insurance brokers, solicitors taking client money over the phone. FCA-regulated firms have the toughest audit story, and most of them have been told by their auditor at some point that "pause and resume" on the call recording isn't evidence of compliance — it's evidence of a control that depends on humans remembering to press a button. The hard separation of Channel Separation is what auditors want to see. A typical operational example: an insurance broker taking the annual premium on a renewal call where the agent is also confirming policy changes — the conversation continues, the audit trail shows the card capture happened on a separated channel, and the recording-archive PCI exposure drops to zero. More on financial and professional services.

Public sector and non-profit

Local councils taking parking fines, council tax, leisure bookings; charities taking donations; housing associations taking rent. Budgets are tight and PCI assessments are expensive, so the SAQ D → SAQ A scope reduction is the headline benefit. Most public-sector callers expect IVR-style automation already, so Channel Separation works without the customer noticing it's any different from the council's existing payment line. A typical operational example: a council revenues team taking council-tax arrears payments — agents handle the negotiation, hand off to the secure capture for the payment itself, and the recording stays clean for the FOI and DPA exposure councils carry. More on public sector and non-profit.

Retail and e-commerce phone orders

Retailers who take orders over the phone — high-value goods, custom builds, B2B trade accounts, click-and-collect, mail-order businesses, anywhere a customer can't or won't finish the order online. MOTO (mail order / telephone order) is a tax category most e-commerce platforms don't handle well; you usually end up with a separate phone-order workflow and a separate compliance scope. Paytia keeps the MOTO scope inside the same gateway you use for online orders, so reconciliation stays simple and PCI scope stays SAQ A across both. A typical operational example: a kitchen retailer taking a £4,500 deposit on a phoned-in bespoke order — agent stays on the call to confirm dimensions and delivery, customer keys the card on their handset, the transaction lands in the same Stripe or Worldpay account as the website orders for clean reconciliation.

Frequently asked questions

How do I make telephone payments PCI compliant?

You make telephone payments PCI compliant by keeping card data out of the places PCI DSS cares about — your agents, your phone system, and your call recordings. The simplest route is to capture the digits on the customer's own keypad and route them straight to your payment gateway, so the card number, expiry and CVV never enter your environment. Paytia does this two ways: DTMF Masking strips the keypad tones from the live audio on an agent call, and Channel Separation splits the call into two channels during capture. Either approach typically drops your assessment from SAQ D (329 controls) to SAQ A (22), and both run on PCI DSS Level 1 certified infrastructure.

What is the safest way to take card payments over the phone?

Capture the card on the customer's own phone keypad and route it straight to your payment gateway, so the digits never reach your agent, your call recording, or your systems. Paytia does this two ways: DTMF Masking strips the keypad tones from the live audio, and Channel Separation splits the call into two channels during capture. Both drop PCI scope from SAQ D (329 controls) to SAQ A (22 controls) and are PCI DSS Level 1 certified.

What are MOTO payments and how does Paytia handle them?

MOTO — Mail Order / Telephone Order — is any card payment where the customer isn't physically present and the transaction is taken by an agent over the phone or from a posted or emailed order form. MOTO is card-not-present, exempt from Strong Customer Authentication under PSD2, and the merchant carries the full fraud liability if a chargeback comes in. Paytia keeps your MOTO setup simple: the customer enters their card on their own keypad during the call, DTMF Masking or Channel Separation keeps it off your systems, and the payment runs through your existing gateway. Your PCI scope drops, your fraud exposure on each transaction stays no higher than any properly-captured MOTO payment, and your agents never handle the digits.

Is Paytia a virtual terminal?

Not in the old sense. A traditional virtual terminal is a web form the agent types the customer's card number into, which means the agent's keyboard, browser, workstation and network all sit inside your PCI cardholder data environment — and you're usually on SAQ C-VT (about 80 controls) as a result. Paytia flips that model. The customer enters the card on their own phone keypad, the tones are masked before they reach the agent or the recording, and the digits go straight to the payment gateway. You get the browser-based convenience of a virtual terminal without the agent ever seeing or typing card data, and most customers drop to SAQ A (22 controls) instead of SAQ C-VT or SAQ D.

What is DTMF masking?

DTMF masking replaces the keypad tones (dual-tone multi-frequency signals) in a live call with silence or a flat tone, so anyone listening — agent, call recording, or anyone nearby — can't identify the digits being pressed. The customer types normally on their handset; the tones just don't reach the audio stream. It's how Paytia's DTMF Masking keeps card numbers out of your contact centre.

How does Paytia keep card data away from my agents?

Customers type their card details on their own phone keypad. Paytia either masks the keypad tones in the live audio (DTMF Masking) or splits the call into two channels during capture (Channel Separation) — either way, the card number, expiry, and CVV go straight to your payment gateway, not through your agent, your call recording, or your systems.

Do I have to change my phone system?

No. Paytia works with any telephony — landline, VoIP, SIP, PBX, or full contact-centre platforms like Genesys, Five9, Amazon Connect, NICE, 8x8, Talkdesk. There's no hardware to install. Most customers are live in days.

Can I still record calls?

Yes. Card data is removed from the audio before it reaches the recording layer, so recordings stay clean — no pause-and-resume, no redaction, no compliance exposure if a recording is ever pulled from archive.

Does this work for outbound calls and payment chases?

Yes. Agents can dial the customer for collections, renewals, or chase and take the payment on the same call. See Outbound Payments and Payment Chase below.

How much does this reduce our PCI scope?

Most businesses drop from SAQ D (329 controls) to SAQ A (22 controls). Card data never enters your environment, so most PCI DSS controls stop applying.

Does this work for outbound collections calls?

Yes. The flow is the same — your agent dials the customer, has the conversation, and when it's time to pay, either presses the button to start DTMF Masking or hands off to the Channel Separation flow. The customer keys their card on their own handset, the digits never reach the agent or the recording, and the payment runs through your existing gateway. Most collections teams use Paytia on outbound chase calls so the agent can take the payment on the same call instead of asking the customer to log in to a portal and risk losing them. We also support pre-saved card tokens for repeat collections (kept inside our PCI environment, never in your CRM) so a customer who's paid you before doesn't have to read their card again.

What happens if my customer wants self-service IVR instead of an agent?

Run both. Most contact centres do. IVR handles the high-volume, simple transactions — subscription renewals, account top-ups, parking fines, donations — where the customer is happy to follow voice prompts without speaking to anyone. Live-agent capture (DTMF Masking or Channel Separation) handles the calls where the conversation matters — complex orders, support calls that turn into a sale, objection-heavy collections. The infrastructure is shared, the gateway integration is shared, the PCI scope is shared. You're not running two products. See our IVR payments page for the self-service side.

How long does the integration actually take?

Most customers are live in 2-4 weeks end to end. Week 1 is scoping and connecting your payment gateway (a credentials swap if you're on Stripe, Worldpay, Adyen, Braintree, Barclaycard, Tyl by NatWest or Ryft — your merchant account doesn't change). Week 2 is phone-system integration — depending on your platform we either drop a SIP trunk in front, connect through a published API integration (Aircall, Talkdesk, Amazon Connect have first-class connectors), or sit alongside a CCaaS like NICE CXone via a published connector. Week 3 is agent training (10 minutes for DTMF Masking, zero for Channel Separation) and a soft launch with one team. Week 4 is full rollout and starting the SAQ A re-assessment conversation with your QSA. Bigger or multi-site rollouts take longer to schedule but follow the same rhythm.

What happens when a payment fails on the call?

The agent sees a clear failure reason — card declined, insufficient funds, expired card, AVS mismatch, 3DS challenge required — and can talk the customer through retry on the same call without ever seeing the card number themselves. If the gateway returns a soft decline (issuer asking for re-authentication, network timeout), the system auto-retries once. If it's a hard decline, the agent can offer an alternative card and the customer enters the new digits the same way — keypad on their own phone, masked from the agent. We don't store failed card details. The whole exchange usually adds 30-60 seconds to the call rather than dropping the customer back into a phone queue.

How do refunds and chargebacks work?

Refunds are processed against the original transaction in your gateway dashboard, exactly as they would be for any other gateway transaction — you don't need the card number again because the gateway has the original token. Chargebacks come through your acquirer the way they always have; the only difference is that, because card data never touched your systems, you've got a much stronger compliance posture if a chargeback dispute escalates into a PCI question. We give you a per-transaction reference that ties back to the masked capture event for your own audit log, so if a customer queries a payment three months later your support team can trace it without ever needing the original card number.

Common questions about phone payment compliance

Four things we hear from prospects almost every week. They're all wrong, in the same way, for the same reason — PCI DSS treats audio recordings as cardholder data the moment a card number is spoken or keyed where it can be captured.

"We pause and resume our call recording during card capture, so we're compliant."

Pause-and-resume is a control that depends on a human pressing a button on every call, every time, without exception. PCI assessors have been clear for years: a manual pause is not a reliable compensating control. The first agent who forgets — or whose pause button doesn't respond fast enough — captures a card number into a call recording that's now in PCI scope. The recording archive becomes cardholder data storage, the network it lives on becomes the CDE, and your SAQ scope balloons. The right answer is to remove the card data from the audio at the source, not to rely on humans to suppress the recording around it.

"We use a secure room with no phones, and that descopes us."

A secure room solves part of the problem — physical eavesdropping — and none of the rest. The agent's headset still picks up the card number. The call recording still captures it. The phone system still routes it. The CRM still ends up with notes that say "customer's card ends in 4242, declined." The room only helps if everyone's in it (impossible for hybrid teams), if no recording runs (most contact centres can't turn recording off for compliance and training reasons), and if every adjacent system is also locked down. The whole thing was a workable answer in 2008; it's not in 2026.

"We send the customer a payment link by SMS or email mid-call, so the agent never hears the card."

This descopes the agent but kills the call. A meaningful percentage of customers — usually 15-30% in the data we've seen — don't complete the link payment. They get the SMS, click it, then get distracted, or hit a 3DS challenge they can't resolve while on the phone, or the email goes to spam. The agent ends up either waiting on hold for five minutes hoping the payment lands, or ringing back later (and often not getting through). For a payment that would have closed in 60 seconds on the live call, you've traded a compliance problem for an abandonment problem. Live capture with masking solves both.

"Our payment gateway is PCI compliant, so we're covered."

Your gateway being PCI Level 1 protects the part of the flow that runs inside their environment. It doesn't protect anything that happens before the card number reaches them — and that's exactly the bit a phone payment exposes. If your agent hears the card, your phone system carries it, or your recording captures it, your gateway's certification is irrelevant to that part of the journey. The PCI obligation sits with the merchant for everything in their cardholder data environment, even if the gateway downstream is bulletproof. The whole point of DTMF Masking or Channel Separation is that the card data goes straight from the customer's keypad to the gateway, so the bit you're responsible for shrinks to almost nothing.

Paytia turned a security exposure and reputational risk into an opportunity. Fundraising has never been more important and Paytia has helped us achieve our goals.

Trinity Hall College

Cambridge University

Read the case study →

Used by British American Tobacco · Howard Kennedy · CITB · Clinical Partners · Trinity Hall College

Since 2016

Building secure payments

PCI DSS Level 1

Highest certification

99.99%

Platform uptime

£400M+

Transactions processed

Ready to take phone payments the right way?

See Paytia on a call flow that looks like yours. Most businesses are live within days.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoContact us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia