PCI DSS Level 1 Certified

MOTO Payments — Secure card-not-present orders without the PCI scope

A MOTO payment — Mail Order, Telephone Order — is any card payment you take when the customer isn't physically with you and their card isn't either. Phone orders, mail-order pharmacy, email invoices, social-channel payments, catalog sales, contact-center renewals. You pay higher CNP interchange and you carry the chargeback liability. We handle the card capture so the number never reaches your agents or your systems, and your PCI scope drops to SAQ A. Works with your existing US processor. Sits inside our PCI DSS Level 1 environment.
Book a demoBook a demoContact us

What a MOTO payment actually is

MOTO stands for Mail Order / Telephone Order. It's a card-not-present transaction where the customer gives you their card details over the phone, by email, or through a social-channel chat — neither the card nor the cardholder is anywhere near you. The term's a hangover from the catalog-sales era, but Visa, Mastercard, Amex, and Discover still use it and so do your processor, your acquirer, and your QSA.

It's different from in-person and online in a couple of ways that matter. There's no chip, no contactless tap, no swipe — none of the friction that protects a card-present sale. And unlike online, there's no clean way to slot 3DS2 into the flow, because the customer is on a phone call rather than a checkout page. The card network sees the transaction as higher risk than either alternative, prices it accordingly, and pushes the chargeback liability onto you.

Plenty of US businesses still rely on it. Mail-order pharmacy. Catalog and direct-response shopping channels. Healthcare billing — copays, deductibles, treatment plan installments. B2B trade desks closing wholesale orders. Insurance premium collection. Florists, gift sellers, ticketing call centers. Property management taking rent and security deposits over the phone. Any business with a customer base that prefers calling in to clicking through — which, in 2026, is still a long list — runs a MOTO channel whether they call it that or not.

We've been building PCI-compliant phone payment systems since 2016 and MOTO is the workflow we know best. The rest of this page covers what makes it the riskiest card channel you can run, what compliance actually demands in the US, and how to handle the call so your agent stays on the line and the card data doesn't reach your systems. If you'd rather skip to a demo, we'll show you the flow on a real call.

Why MOTO is the riskiest card-payment channel you run

Card-not-present fraud is the largest category of US card fraud loss, and MOTO sits at the sharper end of CNP. Online checkouts have 3DS2, device fingerprinting, browser signals, and a liability shift to lean on. Card-present has chip and the customer standing in front of you. MOTO has none of that — just a voice on a phone reading sixteen digits — which is why the card networks price MOTO interchange roughly 0.10–0.30% above card-present and why your processor treats every dispute as your problem.

The fraud patterns we see most often on MOTO calls fall into four shapes. The first is the classic stolen-card delivery scam: a fraudster calls with card details bought on the dark web, places an order, ships it to a drop address. By the time the genuine cardholder spots the transaction and files a dispute, the goods are gone. The second is friendly fraud — a real customer places a real order, takes delivery, then disputes the charge with their issuing bank and claims they never made the call. Without 3DS2's liability shift to fall back on, you absorb the loss almost every time.

The third pattern is card testing. Someone uses your phone line to check whether a stolen card number is live by running a small, low-value transaction. If it goes through, they move on to bigger purchases somewhere else. You're left with a string of one-dollar and two-dollar chargebacks that look trivial in isolation but pile up fast enough to push your chargeback ratio past Visa's VDMP (1% / 100 chargebacks) or Mastercard's ECP threshold. Once you're in a monitoring program you're looking at extra fees, mandatory action plans, and ultimately the risk of losing your merchant account. The fourth pattern is refund fraud: a caller places an order, rings back claiming a problem, and asks for the refund to land on a different card. Without a strict policy that returns money to the original method only, you can lose on both ends.

All of that is external attackers. The risk that businesses least want to think about is internal. If your agents can see or hear full card details — and on a traditional MOTO call they have to, otherwise they can't key the digits into the virtual terminal — a single dishonest hire can pocket dozens of card numbers in a shift. Stolen card data often surfaces months later, sold in batches, by which point tracing it back to your contact center is almost impossible. The hidden agent-exposure riskon a normal MOTO setup is the one we hear about most after the fact, usually from the compliance officer who's just spotted it on an audit.

Then there's everything that captures card data accidentally. Call recordingsare the worst offender — most US contact centers record for QA, training, dispute defense, and TCPA compliance, and most of them haven't worked out that every recording capturing a customer reading sixteen digits is now cardholder data. Those recordings have to be encrypted, access-controlled, and retention-managed at the same level as a primary card database, because under PCI DSS that's what they are. Same goes for any paper order form on a desk with a PAN written on it, any email a customer ever sent with their card number in it, any CRM note where an agent typed digits into a free-text field. Email is the quiet one — it isn't encrypted by default, it sits in inboxes for years, and it gets backed up to systems nobody's ever included in their PCI scope assessment.

Attackers know all of this. The MOTO playbook isn't exotic. It's social-engineering customer service to read a card back so they can be sure they've got it right. It's phishing the recordings system. It's pretexting a refund. It's walking out with a clipboard. The reason MOTO fraud rates run higher than any other card channel isn't that the criminals are cleverer here — it's that the surface area you're defending is genuinely bigger, and most of it sits inside your own four walls.

What PCI DSS, state wiretap laws, and HIPAA actually require for MOTO

Every MOTO transaction is in PCI DSSscope. There's no minimum-volume carve-out, no exemption for low-risk merchants, no allowance for "we only do a handful of phone payments." If you take card details by phone, the standard applies to you, and which Self-Assessment Questionnaire you have to complete depends entirely on how the card data is handled.

If your agents key the card number themselves into a virtual terminal — the traditional MOTO setup — you're on SAQ D. Around 329 controls, annual evidence, the heaviest reporting tier short of a full Report on Compliance. Your agent workstation, your call recordings, your CRM, your network, and any paper forms all sit inside the cardholder data environment, and every one of those becomes something you have to document and audit. If you route the capture through a PCI-certified provider so card data never reaches you — DTMF masking, channel separation, agent-assisted — you drop to SAQ A, which is around 22 controls. PCI DSS v4.0.1 sharpened the language on this further: any system component that can affect the security of cardholder data is in scope, so a recording system that captures DTMF tones counts even if it never stores the digits as text.

PSD2 and Strong Customer Authentication are EU/UK rules, not US ones, so SCA isn't a compliance lever here the way it is in Europe. Where US MOTO does get tangled is in state wiretap and recording-consent law. Eleven states — California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington — require all-party consent before you can record a call. The rest are one-party. Recording itself is generally fine if you announce it and get the consent your state requires. The bigger problem is what's inside the recording: a captured PAN is cardholder data, and a captured PAN sitting in a recording that's been pulled into a dispute file or shared with a TCPA defense counsel is cardholder data that's spread further than you'd like.

Where 3DS2can be brought in for a US MOTO transaction — typically when the customer has a mobile to hand during the call and can approve a step-up on their banking app — using it gives you the liability shift you'd otherwise be missing. We apply 3DS2 wherever it's available and fall back to fraud-screening rules where it isn't, so the transactions most likely to dispute later get extra scrutiny up front.

For healthcare merchants, HIPAA sits over the top of PCI. When a patient calls to settle a copay, the call audio contains both payment data and protected health information — diagnosis codes, plan IDs, treatment references — and your recording becomes a combined PCI + HIPAA artifact. The cleanest answer is to keep the card capture off the recording entirely and to operate the payment leg under a Business Associate Agreement with whoever processes the card. We sign BAAs for the healthcare merchants we work with, and DTMF masking pulls the PAN out of the audio before it ever reaches your recording, so the recording stays HIPAA-compliant on the PHI side without leaking PCI on the payment side.

MOTO and PCI DSS scope

A MOTO call without protection is a PCI nightmare. With us, it's an SAQ A line item.

PCI DSS Level 1 Service Provider certification

PCI DSS Level 1

We carry the highest level of PCI certification. Plug us in and your scope drops the moment the card data stops reaching you.

A typical unprotected MOTO call puts your call recording, your agent's desktop, your CRM notes, and any paper order forms in PCI scope. Every one of those becomes a control you have to document, audit, and staff. With Paytia, card data never reaches any of them. Your SAQ shortens from 329 controls to 22. Your recording system drops out of scope entirely because there's no card data in the audio to protect.

AreaWithout PaytiaWith Paytia
Self-assessmentSAQ D (329 controls)SAQ A (22 controls)
Call recordingsContain card data — redact or pauseCard-data free, TCPA-safe
Agent workstationIn scope, full lockdownOut of scope
Annual auditFull QSA assessmentEvidence of integration only

How to take MOTO payments without absorbing the risk

The principle is simple: if the card number never reaches your environment, almost none of the risk reaches it either. Your agents can't leak data they never had, your recordings can't capture tones they never received, your CRM can't store digits nobody typed into it, and your QSA has 22 controls to look at instead of 329. The whole modern MOTO stack is built around getting card capture out of the parts of your business where it doesn't belong.

On the phone leg, the right answer for almost every contact center is DTMF masking. The customer types their card on their own phone keypad. Each tone is intercepted and replaced with a flat sound before it reaches your agent or your recording system. The agent stays on the call the whole time, talks the customer through it, and confirms the result when authorization comes back. From the customer's side it feels like any normal phone payment. From your auditor's side, the audio has no card data in it.

Channel separation takes the same idea a step further on calls where the agent shouldn't be in the room with the digits at all. The card capture happens on a separate audio path that bypasses the agent's line entirely. Useful for higher-value transactions, regulated industries, and anywhere the threat model includes the agent themselves. Agent-assisted sits between the two — the agent keeps the call going, the customer keys the card, and the agent sees only a masked progress indicator on screen.

For mail-order and email-order workflows, the answer is to stop accepting card details in writing at all. We send the customer a secure payment link by SMS or email; they tap through to a hosted payment page in our PCI environment, type the card themselves, and the confirmation lands back in your system as a token plus an authorization code. The order form on your end never sees a card number. The same flow handles refunds, top-ups, and ad-hoc payment requests without you ever opening an email that contains a PAN.

Where the card goes once we've captured it depends on what you already have. We pass the authorization request straight to your existing processor — Stripe, Chase Payment Solutions, Braintree, Authorize.Net, Adyen, Worldpay (US), whichever — so your pricing, your settlement, and your reporting don't move. What does move is what gets stored where. We tokenizethe card inside our vault and return a token your systems can use for refunds, repeat charges, or anything else you need to do with that customer later. The real PAN never leaves our environment. The agent never sees it. The recording never hears it. The CRM never stores it. That's what good looks like for a 2026 MOTO operation.

Where MOTO fits in your stack

MOTO sits on top of whatever phone system you already run. We don't replace your telephony, your CCaaS platform, your PBX, or your agent desktop. If you're on a traditional carrier line into an on-prem switch, we hook in. If you're on a cloud contact center — Five9, NICE CXone, Genesys Cloud, Talkdesk, RingCentral, 8x8, Amazon Connect — we hook in. The integration is at the call-leg level for DTMF masking, or via API for the secure-link and agent-assisted flows, so you don't have to rip anything out to get the scope reduction.

The processor side is the same story. We route authorization requests to your existing US processor — Stripe, Chase Payment Solutions, Braintree, Authorize.Net, Adyen, Worldpay, the lot. You keep your merchant ID, your pricing, your settlement schedule, your existing reporting. The only thing that changes is that the PAN comes from our vault rather than from your CRM. Multi-currency works the way it already does in your processor; we don't add anything on top.

A handful of edge cases come up often enough to call out. International cards work the way they always have, except the customer keys their CVV directly so it can't go astray in transit. Refunds run through the original payment method via the token, which keeps you on the right side of the card networks' refund-fraud rules without having to remember which card the original charge landed on. Recurring MOTO — subscription boxes, installment plans, monthly catalog renewals, pharmacy refills — uses the token from the first call for every charge after that, so the customer reads their card once and never again.

Most customers are live within a week. Agents don't need training because there's nothing for them to learn — the call flow looks the same to them, just with a "Take payment" button that doesn't ask them to read digits back. If you want to see the whole thing on a real call, we'll walk you through it, or you can tell us what your stack looks likeand we'll work out the shape of the integration before you commit to anything.

Frequently asked questions

What is a MOTO payment?

A MOTO payment is a card transaction where the cardholder isn't physically with you and their card isn't either. MOTO stands for Mail Order / Telephone Order — the original category the card networks used for catalog sales, phone orders, and mail-in invoice payments. Today it covers anything where the customer reads or keys their card across a phone line, an email, a social-channel chat, or a paper order form. Visa, Mastercard, and the other US networks treat it as card-not-present (CNP) — higher interchange and full chargeback liability sit with you.

What's the difference between MOTO and card-present payments?

Card-present means you've got the card and the cardholder in front of you — chip, contactless, or swipe. MOTO means neither the card nor the cardholder is with you; the customer shares their details remotely. CNP interchange in the US runs roughly 0.10–0.30% above card-present because issuers see it as higher-risk, and chargeback liability sits with you rather than the issuing bank. The numbers vary by card brand and merchant category, but the direction is always up.

What's the difference between MOTO and IVR payments?

IVR is one flavor of MOTO. A MOTO payment is any card-not-present transaction taken over a phone or written channel. An IVR payment is specifically a MOTO payment taken by an automated voice system with no agent on the call. If you want the agent to stay on and walk the customer through, that's agent-assisted MOTO with DTMF masking. If you want it fully automated, that's IVR. Both are MOTO, both go through the same card networks, and both need the same PCI thinking.

Is recording a MOTO call legal under TCPA and state wiretap laws?

Recording the call itself is generally fine if you have one-party or all-party consent depending on the state — California, Florida, and a handful of others require all-party consent. The bigger problem is what's in the recording. If your recording captures the customer reading out 16 digits, that recording is now in PCI scope and a target for breach. With Paytia, the customer keys the card on their own keypad, the tones are masked in real time, and the recording stays clean — no card data, nothing to redact later.

How do I take MOTO payments securely?

The risky way: your agent hears the card number aloud, writes it on a form, or your call recording captures it. Any of those puts you in full PCI DSS SAQ D scope — 329 controls, annual audits, trained staff, secure rooms. The safer way is to route the card capture through a PCI-certified provider. With Paytia, the customer types the card on their own phone keypad, we mask the tones so the agent hears nothing, and we send the card straight to your processor. Your scope drops to SAQ A (22 controls) and nothing sensitive lands in your systems.

Can MOTO payments be recurring?

Yes, and they often are. We tokenize the card on the first transaction and use the token for every subsequent charge — subscription boxes, payment plans, installment programs, monthly catalog renewals. The customer reads or keys their details once. Every charge after that runs off a token that lives in our PCI environment, not yours. You bill every month without storing a single card number.

Do I need a special merchant account for MOTO?

You need a merchant account set up for card-not-present transactions. Most US processors — Stripe, Chase Payment Solutions, Braintree, Authorize.Net, Adyen, Worldpay (US) — offer MOTO as either an add-on to a standard CNP MID or a separate MID. Pricing is usually a per-transaction uplift over card-present rates. We plug into any of them: you keep your existing processor, we handle the capture and tokenization layer on top.

Ready to take MOTO payments without the PCI headache?

We'll walk you through how MOTO payments work on your existing phone system and US processor. Most customers are live within a week — your agents don't need training because there's nothing for them to learn.

PCI DSS Level 1
TCPA & HIPAA Aligned
Book a demoContact us

Trusted by US law firms, insurers, healthcare organizations and regulated businesses that can't afford to get compliance wrong. Learn more about Paytia