All three work with us. One is probably right for you.
Most US businesses need to take a card payment over the phone at some point. A customer can't get to your website. They called to ask a question and decided to buy. You're chasing an overdue invoice. A donor wants to pledge on the spot. A patient needs to pay their copay or deductible. It's routine business — but the moment the card number leaves the customer's mouth and hits your ear, you've changed your compliance position.
PCI DSS treats any place card data touches as in scope. That includes your agent's headset, your telephony, your call recording, your CRM notes, and any paper the agent wrote on. An unprotected phone payment puts you in SAQ D — 329 controls, annual audits, mandatory training, documented evidence for every touchpoint. Most US businesses taking a few phone payments a week shouldn't be running an SAQ D program, and most don't realize they're meant to. If you're a healthcare contact center the recording also drags PHI into the same problem under HIPAA, which doubles the breach exposure.
The fix isn't to stop taking phone payments. It's to stop the card data reaching you. That's what DTMF maskingdoes — it intercepts the keypad tones in real time, so the card never lands in your agent's ear or your recording.
Pick the one that fits the call. All three drop you to SAQ A.
Your agent stays on the call. The customer keys their card on their own phone. We mask the tones so the agent hears nothing identifiable. Good for sales calls, collections, and anywhere the conversation needs to carry on.
Read about DTMF masking →Fully automated. The customer calls a number, hears recorded prompts, and keys their card. No agent needed. Good for utility bills, subscriptions, and recurring routine payments — anywhere the customer just wants to pay and go.
Read about IVR payments →You dial the customer — renewals, collections, chase — and take the payment on the same call. Same masking, same scope reduction, the other direction of call initiation. TCPA-aware on consent and opt-out.
Read about outbound payments →The obvious way — customer reads the card number, agent types it into a payment terminal or CRM field — puts you in full PCI DSS scope. That's not a theoretical compliance issue. It means every call recording with a card number in it becomes a protected asset. It means the agent's desktop is in scope, so is the network it sits on, so is the building, so is every screen someone could glance at. It means your annual SAQ is 329 questions, not 22. And in California, New York, Massachusetts, and most other states, a breach of that recording becomes a notification event with regulators and the customer base.
It also means the customer is reading a 16-digit card number, a 3-digit CVV, and an expiration date out loud — usually in an open-plan office, a coffee shop, a car, their living room with the kids around. That's uncomfortable for them and bad for your conversion rate. The most polite customers go quiet and ask to call back later; the less polite ones say no thank you and end the call.
Every workaround we've seen US contact centers build — pause-and-resume recording, post-call redaction, "secure" rooms, headset muting — solves one piece and leaves the others. It's cheaper, faster, and safer to not take the card data in the first place.
Same call, same customer, same payment. Different compliance position.
| Area | Card data reaches you | Card data bypasses you |
|---|---|---|
| PCI SAQ | SAQ D — 329 controls | SAQ A — 22 controls |
| Call recording | In scope, redact every call | Card-data free, no changes |
| Agent workstation | Hardened desktop, locked build | Standard company laptop |
| Staff training | Annual mandatory PCI training | None required |
| Paper forms | Locked, tracked, shredded | Not needed |
| Annual audit | QSA-led, multi-day | Integration evidence only |
| State breach notification surface | Every recording is a risk | Nothing sensitive to lose |
If you take phone payments more than occasionally in the US, you're probably on this list.
Phone orders alongside your website. Customer couldn't check out online, called the number, wants to pay. Sorted in a minute, in $.
Wholesale orders, deposits, pro-formas paid by phone. The sales team closes the call and the payment in the same conversation.
Legal, accounting, consulting — invoices paid by phone after a service call. No more reading card numbers back to verify.
Copays, deductibles, treatment-plan installments. Agent-assisted keeps the human in the loop, and HIPAA exposure on the recording stays low.
High-volume routine bill payments. IVR handles the simple ones; agent-assisted handles the calls that need a person.
Donor pledges, recurring gifts, membership renewals. Donors don't read their card to a volunteer on a landline.
Yes. It's legal, it's common, and most US businesses need to do it at some point. The card schemes call it MOTO (Mail Order / Telephone Order) and your processor — Stripe, Chase Payment Solutions, Braintree, Authorize.Net, Adyen, Worldpay — can enable it on your merchant account, usually as a separate MID or as a flag on an existing one. What's changed in recent years is how you can do it without landing in full PCI DSS scope. The short answer: don't let the card number reach your agents, your recording, or your systems in the first place.
Yes. If your call recording captures a customer reading their card number out loud, that recording is now in PCI scope. You have to treat it the same as any other place card data lives — encrypted, access-controlled, retention-limited, evidence-logged. Redacting recordings after the fact isn't straightforward and isn't always accepted by auditors. The cleaner answer is to stop card data reaching the recording in the first place, which is what DTMF masking does. It also keeps TCPA and state-level call-recording reviews simple, because there's nothing sensitive to redact.
An agent-assisted phone payment keeps a human on the call while the customer keys their card. Useful when the call needs a conversation — sales, collections, support, complex orders. An IVR payment is fully automated: the customer calls a number, a recorded voice walks them through, no agent involved. Useful for high-volume routine payments where the customer just wants to pay a bill and move on. Most US businesses end up using both: IVR for simple recurring payments, agent-assisted for anything that needs a person.
If your call recordings capture both PHI and card numbers, you're defending breach exposure under HIPAA and PCI DSS at the same time. Pulling card data out of the recording — DTMF masking handles this — keeps payment audio out of any system that touches PHI. That doesn't make HIPAA go away, but it stops a single recording archive being a breach surface for both regimes. For healthcare clients, that's usually the whole reason they pick up the phone with us.
Two costs. First is your processor's transaction fee — MOTO interchange runs roughly 0.1–0.3% higher than card-present because card-not-present fraud risk is higher. Your processor sets that, not us. Second is the technology to keep you compliant — that's our piece. We charge per transaction or per seat depending on volume. Both together are almost always cheaper than running your own PCI DSS SAQ D compliance program, which is where you land if you take the card number directly.
Card-not-present transactions carry full chargeback liability on you — there's no signature or PIN to show the issuer the customer authorized it. Dispute rates tend to be higher on phone payments than in-person. You can mitigate with 3DS2 where the customer authenticates via their banking app, fraud screening, and clear call scripts that confirm the amount and reference. Our platform layers these in so you're not flying blind on chargebacks.
No. Our platform works with traditional PBX, SIP trunks, and the cloud platforms US contact centers actually run on — Genesys, Five9, Amazon Connect, NICE CXone, Talkdesk, RingCentral, 8x8, plus plain office handsets. We integrate at the API or SIP layer. Most deployments go live within a week — the telephony side barely changes, because we drop into what you already have.
Tell us what your calls look like and we'll show you the simplest way to take the payment without card data reaching you. Most US customers go live within a week on the phone system they already own.
Trusted by US law firms, insurers, healthcare organizations and regulated businesses that can't afford to get compliance wrong. Learn more about Paytia