If your business takes payments over the phone, you have two practical options: capture card details during the call using DTMF tones, or send the customer a payment link they complete on their own device. Both approaches can be made PCI compliant. Both have trade-offs.
This guide explains how DTMF payment processing works, what DTMF suppression and clamping do, and how payment links compare on security, conversion, and customer experience.
What Is DTMF? The Meaning Behind the Tones
DTMF stands for dual-tone multi-frequency. It is the signalling system used by touch-tone telephones. When you press a key on a phone keypad, the device generates two simultaneous audio tones — one from a low-frequency group and one from a high-frequency group. The combination of these two tones uniquely identifies which key was pressed.
For example, pressing "5" generates a 770 Hz tone and a 1336 Hz tone simultaneously. Telephone switches and IVR systems decode these tone pairs to determine input. DTMF replaced rotary pulse dialling in the 1960s and remains the standard way callers interact with automated phone systems.
In the context of payments, DTMF is used to let callers enter card numbers, expiry dates, and CVVs using their phone keypad instead of reading them aloud to an agent. This is the foundation of secure phone payment processing.
How DTMF Payment Processing Works
A DTMF payment flow keeps the agent and the customer on the same call while routing card data through a PCI-compliant environment. Here is what happens step by step:
The agent reaches the payment stage of the call and initiates a secure payment session through their desktop application or CRM integration.
The payment system intercepts the audio stream between the caller and the telephony platform. DTMF tones from the caller's keypad are captured by the payment environment before they reach the agent or any recording system.
The caller enters their 16-digit card number, expiry date, and CVV using the phone keypad. The agent stays on the line and can guide the customer but cannot hear or see the card details.
The payment system validates the card data in real time, processes the transaction through the PSP (payment service provider), and returns a success or failure result to the agent's screen.
The agent confirms the payment with the customer and the call continues. The entire process typically takes 30 to 60 seconds.
The critical point: card data never enters the contact centre environment. It is captured, processed, and discarded within the PCI-compliant payment layer. This de-scopes the contact centre from PCI DSS — the telephony infrastructure, call recordings, and agent workstations are all out of scope because they never handle cardholder data.
For a deeper look at the compliance requirements, see our guide to PCI-compliant contact centre payments.
DTMF Suppression and Clamping Explained
Simply capturing DTMF tones is not enough to make a phone payment secure. The tones themselves carry sensitive information — anyone with access to the audio stream could decode the key presses and reconstruct the card number. This is where DTMF suppression and clamping come in.
What Is DTMF Suppression?
DTMF suppression removes the dual-tone signals from the audio stream before they reach the agent, call recordings, or any downstream system. The payment system intercepts the tone, reads the digit, and replaces it with silence or a flat masking tone. The agent cannot determine which key was pressed.
Suppression ensures that even if calls are recorded, the recordings contain no usable card data. This is a hard requirement for PCI DSS compliance when processing payments over voice channels.
What Is DTMF Clamping?
DTMF clamping is a related but distinct technique. Rather than removing tones after the fact, clamping prevents them from entering the general audio path at all. The payment system takes control of the audio routing so DTMF signals go exclusively to the secure payment environment.
In practice, suppression and clamping are often used together. Clamping prevents tones from entering the general audio stream, and suppression acts as a second layer to catch any residual tone data.
DTMF Masking: The Complete Picture
DTMF masking is the broader term encompassing suppression, clamping, and additional measures that prevent card data from being exposed:
Tone replacement — DTMF tones are replaced with a uniform flat tone or beep so the agent knows a key was pressed without knowing which one.
Screen masking — the agent's desktop shows asterisks or dots as the caller enters digits, confirming input was received without revealing the card number.
Recording pause or redaction — call recordings are automatically paused during card entry or the relevant segment is redacted post-call. Combined with tone suppression, this ensures no card data exists in any stored media.
PCI DSS Requirement 3.4 mandates that stored cardholder data must be rendered unreadable. DTMF masking applied to the audio stream, recordings, and agent screens is how contact centres meet this requirement without taking phone payments offline.
What Are Payment Links?
A payment link is a URL that takes the customer to a hosted, PCI-compliant checkout page. The agent generates a link during or after the call and sends it to the customer via SMS, email, or messaging. The customer opens the link on their phone or computer, enters their card details on a secure form, and completes the payment independently.
Payment links bypass the phone channel entirely. Card data is entered into a web form served from a PCI-certified environment — the contact centre never touches it. This makes payment links inherently PCI compliant from the contact centre's perspective, with no need for DTMF infrastructure.
Read more about the approach in our guide to secure payment links for card authorisation.
DTMF Payments vs Payment Links: Security Comparison
Both DTMF payments and payment links can achieve full PCI DSS compliance when implemented correctly. The security differences lie in the attack surface, the infrastructure required, and where the risk sits.
DTMF payment security:
Card data travels through the telephony layer but is intercepted before reaching the agent or recordings. Security depends on the quality of DTMF suppression and clamping.
The payment environment must be PCI DSS Level 1 certified and the integration with the telephony platform must be correctly configured.
Potential vulnerabilities include incomplete tone suppression, misconfigured audio routing, and legacy telephony systems that pass tones before the payment layer intercepts them.
When implemented well, DTMF is highly secure — the card data exists only momentarily in the certified payment environment and is never stored.
Payment link security:
Card data never enters the voice channel. The customer enters details on a TLS-encrypted web form hosted by the payment provider.
The contact centre is completely de-scoped — there is no telephony integration to misconfigure.
Potential vulnerabilities include phishing (customers receiving fraudulent links), link interception if sent over unencrypted channels, and link expiry management.
Payment links use the same security standards as e-commerce checkout — well-understood and widely audited.
The bottom line: payment links have a smaller attack surface because card data stays in the web channel. DTMF payments add telephony as an extra layer to secure. However, DTMF with proper suppression and clamping is considered equally secure in practice and is the industry standard for PCI-compliant phone payments.
Pros and Cons of Each Approach
DTMF payment advantages:
Payment is completed during the call — no drop-off from sending the customer elsewhere.
Higher conversion rates for phone-first customers, especially in collections and insurance where the call is the primary interaction.
Works for all callers regardless of device type or internet access — the customer only needs a phone keypad.
Agent can guide the customer through each step in real time and confirm the result immediately.
DTMF payment disadvantages:
Requires telephony integration — the payment system must sit in the audio path, which adds implementation complexity.
Some customers find entering 16+ digits on a keypad awkward, especially on mobile devices.
Miskeyed digits require re-entry, which can extend call duration.
Ongoing maintenance of DTMF suppression and clamping configurations as telephony infrastructure changes.
Payment link advantages:
Simpler to implement — no telephony integration required. Generate a URL and send it.
Supports saved cards, digital wallets (Apple Pay, Google Pay), and other modern payment methods that DTMF cannot.
Works across channels — the same link can be sent via SMS, email, WhatsApp, or in-app messaging.
Completely de-scopes the contact centre from PCI with zero telephony configuration.
Payment link disadvantages:
Breaks the call flow — the customer must switch to another device or channel to complete payment, which increases abandonment.
Requires the customer to have a smartphone or internet access. Not all demographics have this, particularly in collections and public sector scenarios.
Payment may not be completed during the call — the agent cannot always confirm the outcome in real time.
Customers may be suspicious of links received during calls, reducing trust and completion rates.
When to Use DTMF Payments
DTMF payments are the right choice when the payment must happen during the phone call and breaking out to another channel would hurt completion rates or customer experience. Common scenarios include:
Debt collection calls — the debtor is on the line and ready to pay. Sending a link and hoping they complete it later significantly reduces recovery rates. See our guide on AI voice payments for debt collection.
Insurance premium collections — customers calling to renew or settle balances expect to complete the transaction in one interaction.
IVR self-service payments — automated phone systems where the caller navigates menus and enters card details without speaking to an agent at all. DTMF is the only input method available.
High-volume call centres — where average handle time (AHT) matters and completing payment during the call avoids follow-up contacts.
Callers without internet access — elderly customers, rural areas, or any situation where the caller cannot easily access a web browser.
When to Use Payment Links
Payment links work best when the payment does not need to happen in real time during the call, or when you want to offer a richer checkout experience. Common scenarios include:
Post-call payments — the agent sends a quote, invoice, or payment request after the call and the customer pays at their convenience.
Multi-channel collections — sending payment links via SMS or email as part of an outreach sequence. The link can be sent proactively before the customer even calls.
Complex transactions — where the customer needs to review an itemised total, select payment options (instalments, partial payment), or use a digital wallet.
Chat and messaging channels — agents communicating via live chat, WhatsApp, or social messaging can embed a payment link directly in the conversation.
Businesses without telephony infrastructure — if you do not have a cloud-based telephony platform that supports DTMF integration, payment links are the faster path to secure phone payments.
The Hybrid Approach: DTMF and Payment Links Together
The strongest payment operations do not choose one method over the other — they offer both. A hybrid approach gives agents the flexibility to match the payment method to the situation:
Customer is on the phone and ready to pay right now? Use DTMF to capture the card during the call.
Customer prefers to pay later or wants to use Apple Pay? Send a payment link via SMS.
Customer is struggling with the keypad or keeps miskeying digits? Switch to a payment link mid-call.
IVR self-service system encounters an error? Fall back to a payment link sent to the caller's mobile number.
This is exactly the model Shuttle supports. As a payment layer for platforms, Shuttle provides both Voice Checkout (DTMF payments via Twilio) and Payment Links through a single integration. Platforms and contact centres get PCI DSS Level 1 compliance across both channels without building or maintaining the payment infrastructure themselves.
The payment method becomes a routing decision, not an architecture decision. One integration, two channels, full PCI compliance.
Frequently Asked Questions
What does DTMF stand for?
DTMF stands for dual-tone multi-frequency — the technical name for touch-tone telephone signals. Each key press produces two simultaneous tones that telephone systems decode to identify the digit. It has been the standard for phone input since the 1960s.
Is DTMF payment processing PCI compliant?
Yes, when implemented with proper DTMF suppression, clamping, and masking. The payment system must be PCI DSS Level 1 certified, and the integration must ensure that DTMF tones carrying card data never reach the agent, call recordings, or any non-certified system. Many leading contact centre payment providers, including Shuttle, are certified to this standard.
What is the difference between DTMF suppression and DTMF clamping?
DTMF suppression removes tones from the audio after generation. DTMF clamping prevents tones from entering the general audio path at all. Both are typically used together for maximum security.
Are payment links more secure than DTMF?
Payment links have a smaller attack surface because card data never enters the voice channel. However, properly implemented DTMF with suppression and clamping is equally secure and is the industry standard for phone payments. The choice is usually driven by customer experience rather than security.
Can I use both DTMF and payment links in the same contact centre?
Yes. A hybrid approach is increasingly common for organisations handling a mix of inbound and outbound calls. Shuttle provides both DTMF-based Voice Checkout and Payment Links through a single integration. Book a discovery call to see how it works.