PCI DSS Level 1 Certified

MOTO Payments — Secure card-not-present orders without the PCI scope

A MOTO payment — Mail Order, Telephone Order — is any card payment you take when the customer isn't physically with you and their card isn't either. Phone orders, mail-order pharmacy, fax invoices, classic catalog sales, contact-center renewals. You pay higher CNP interchange and you carry the chargeback liability. We handle the card capture so the number never reaches your agents or your systems, and your PCI scope drops to SAQ A. Works with your existing US processor. Sits inside our PCI DSS Level 1 environment.
Book a demoContact us

What is a MOTO payment?

A MOTO payment is a card transaction where the cardholder isn't physically present and neither is their card. The customer reads or keys their card details by phone, mail, fax, or email, and you process them without seeing the card. MOTO stands for Mail Order / Telephone Order — an old term from the catalog-sales era that the card networks kept for anything card-not-present that doesn't go through an ecommerce checkout.

Today MOTO covers phone orders from a website catalog, mail-order pharmacy renewals, classic print catalog sales, invoice payments after a service call, trade-counter deposits, collections calls, insurance premiums, and medical billing. Anywhere the customer is on the other end of a phone or a form and the card isn't with them. The card networks bundle all of it under the same rules: higher interchange, full chargeback liability, stricter fraud expectations.

Paytia handles the capture step. The customer types their card on their own phone keypad, the tones are masked in real time via DTMF masking before they reach your agent or your recording, and the card goes straight to your payment processor. Your business processes the MOTO transaction without ever touching the card number.

How MOTO payment processing works

Same call, same agent, same customer. Just a different path for the card data.

1

Agent takes the order

Your agent talks to the customer the way they always have. When it's time to pay, they click the Paytia action inside your CRM or contact-center dashboard.

2

Customer keys the card

The customer types the card number, expiration, and CVV on their phone keypad. Every tone is replaced with a flat sound before it reaches your agent or your recording.

3

Processor authorizes

We send the card to your processor — Stripe, Chase Payment Solutions, Braintree, Authorize.Net, Adyen, Worldpay (US). Approval or decline in seconds. Confirmation to the customer by voice, SMS, or email.

Why MOTO payments cost more — and what we do about it

MOTO interchange runs roughly 0.10–0.30% above card-present in the US because issuers see card-not-present as higher fraud risk. You also carry the chargeback liability — if the customer disputes the transaction later, there's no signature or PIN to show the issuing bank. Some of this is baked into the card networks and nobody's getting around it. But fraud and scope both cost money, and those are the levers we can actually move.

Tokenization cuts repeat exposure. Every card that passes through Paytia is replaced with a token in your system. If you're running subscriptions, installments, or ad-hoc repeat charges, you never store a card number — the token does the work, and the real card sits in our PCI-certified vault. One breach of your systems doesn't equal a breach of your customers' card data.

3-D Secure 2 works for MOTO whenever the customer has a mobile device to hand for the step-up. Where it doesn't, our fraud screening flags the high-risk transactions so you can decide whether to run them or ask for a different payment method. It isn't perfect — no MOTO setup is — but it cuts the easy fraud and leaves your team to focus on the hard edge cases.

MOTO and PCI DSS scope

A MOTO call without protection is a PCI nightmare. With us, it's an SAQ A line item.

PCI DSS Level 1 Service Provider certification

PCI DSS Level 1

We carry the highest level of PCI certification. Plug us in and your scope drops the moment the card data stops reaching you.

A typical unprotected MOTO call puts your call recording, your agent's desktop, your CRM notes, and any paper order forms in PCI scope. Every one of those becomes a control you have to document, audit, and staff. With Paytia, card data never reaches any of them. Your SAQ shortens from 329 controls to 22. Your recording system drops out of scope entirely because there's no card data in the audio to protect.

AreaWithout PaytiaWith Paytia
Self-assessmentSAQ D (329 controls)SAQ A (22 controls)
Call recordingsContain card data — redact or pauseCard-data free, TCPA-safe
Agent workstationIn scope, full lockdownOut of scope
Annual auditFull QSA assessmentEvidence of integration only

Who takes MOTO payments

Anyone whose customers call to order or to settle an invoice. In 2026, that's still most US businesses.

Florists and gift sellers

Phone-in orders for delivery, last-minute occasions, and corporate accounts. The customer keys their card while your team confirms the delivery address — no card audio in the recording.

Mail-order pharmacy

Repeat prescription refills and over-the-counter shipments. Tokenization handles the next refill so the patient doesn't re-read their card every cycle. BAA available where PHI is in play.

Catalog and direct response

Classic print catalog sales, infomercial response lines, and shopping-channel call centers. Drops your contact center out of SAQ D and keeps recordings clean for QA review.

B2B trade desks

Wholesale orders, trade-counter deposits, pro-forma invoices paid by phone. Your sales team closes the call and the payment together without writing down digits.

Healthcare billing

Patient copays, deductibles, outstanding balances, and treatment plan installments. Tokenization handles repeat charges without storing card data anywhere near PHI.

Insurance and subscription services

Premium collection, renewals, claims deductibles, monthly subscription bills. 3DS2 applies where the customer can authenticate, tokenization where they can't.

Frequently asked questions

What is a MOTO payment?

A MOTO payment is a card transaction where the cardholder isn't physically with you and their card isn't either. MOTO stands for Mail Order / Telephone Order — the original category the card networks used for catalog sales, phone orders, fax orders, and mail-in invoice payments. Today it covers anything where the customer reads or keys their card across a phone line, an email, a fax, or a paper order form. Visa, Mastercard, and the other US networks treat it as card-not-present (CNP) — higher interchange and full chargeback liability sit with you.

What's the difference between MOTO and card-present payments?

Card-present means you've got the card and the cardholder in front of you — chip, contactless, or swipe. MOTO means neither the card nor the cardholder is with you; the customer shares their details remotely. CNP interchange in the US runs roughly 0.10–0.30% above card-present because issuers see it as higher-risk, and chargeback liability sits with you rather than the issuing bank. The numbers vary by card brand and merchant category, but the direction is always up.

What's the difference between MOTO and IVR payments?

IVR is one flavor of MOTO. A MOTO payment is any card-not-present transaction taken over a phone or written channel. An IVR payment is specifically a MOTO payment taken by an automated voice system with no agent on the call. If you want the agent to stay on and walk the customer through, that's agent-assisted MOTO with DTMF masking. If you want it fully automated, that's IVR. Both are MOTO, both go through the same card networks, and both need the same PCI thinking.

Is recording a MOTO call legal under TCPA and state wiretap laws?

Recording the call itself is generally fine if you have one-party or all-party consent depending on the state — California, Florida, and a handful of others require all-party consent. The bigger problem is what's in the recording. If your recording captures the customer reading out 16 digits, that recording is now in PCI scope and a target for breach. With Paytia, the customer keys the card on their own keypad, the tones are masked in real time, and the recording stays clean — no card data, nothing to redact later.

How do I take MOTO payments securely?

The risky way: your agent hears the card number aloud, writes it on a form, or your call recording captures it. Any of those puts you in full PCI DSS SAQ D scope — 329 controls, annual audits, trained staff, secure rooms. The safer way is to route the card capture through a PCI-certified provider. With Paytia, the customer types the card on their own phone keypad, we mask the tones so the agent hears nothing, and we send the card straight to your processor. Your scope drops to SAQ A (22 controls) and nothing sensitive lands in your systems.

Can MOTO payments be recurring?

Yes, and they often are. We tokenize the card on the first transaction and use the token for every subsequent charge — subscription boxes, payment plans, installment programs, monthly catalog renewals. The customer reads or keys their details once. Every charge after that runs off a token that lives in our PCI environment, not yours. You bill every month without storing a single card number.

Do I need a special merchant account for MOTO?

You need a merchant account set up for card-not-present transactions. Most US processors — Stripe, Chase Payment Solutions, Braintree, Authorize.Net, Adyen, Worldpay (US) — offer MOTO as either an add-on to a standard CNP MID or a separate MID. Pricing is usually a per-transaction uplift over card-present rates. We plug into any of them: you keep your existing processor, we handle the capture and tokenization layer on top.

Ready to take MOTO payments without the PCI headache?

We'll walk you through how MOTO payments work on your existing phone system and US processor. Most customers are live within a week — your agents don't need training because there's nothing for them to learn.

PCI DSS Level 1
TCPA & HIPAA Aligned
Book a demoContact us

Trusted by US law firms, insurers, healthcare organizations and regulated businesses that can't afford to get compliance wrong. Learn more about Paytia