3CX is an open-platform software PBX used by tens of thousands of businesses worldwide. It runs voice calls, live chat, WhatsApp, SMS, and video from a single system, and it deploys either self-hosted or in the cloud. Most 3CX environments are built and managed by IT resellers and MSPs, who configure the system and keep it running for their end customers across industries from professional services to field service, retail, and healthcare.
What 3CX does not do is process payments. The platform's Call Flow Designer (CFD) includes a Credit Card Component, but that component is a DTMF digit collector: it gathers the numbers a caller keys into their phone and hands them to whatever external API you wire up. The responsibility for securing those digits, meeting PCI DSS requirements, and keeping them out of call recordings and the call-flow log is entirely yours. 3CX holds no PCI DSS certification. Its "PCI Compliance mode" setting enforces TLS 1.2 on connections, which is transport security, not payment security.
This guide is written for two readers. The first is a business running 3CX that wants to take card payments over its phone system or messaging channels. The second is the IT reseller or MSP that deploys and manages 3CX for end customers and needs a clean, low-friction way to add payment capability to client environments. Shuttle is a PCI DSS Level 1 certified payment layer that connects directly to 3CX workflows, handles secure card capture across voice and messaging, and routes to 40+ payment gateways.
The Payment Challenge in 3CX
Taking card payments over the phone creates PCI scope the moment a card number is spoken or entered. Every system that touches, stores, transmits, or could potentially access cardholder data falls into that scope, and passing the audit is expensive and time-consuming.
The CFD Credit Card Component adds a specific risk on top of the general compliance burden. When verbose logging is enabled in 3CX, the call-flow log can capture the DTMF digits a caller keys in, including the card number, expiry, and CVV. Call recordings made during the DTMF entry phase carry a similar risk unless tone suppression is applied. These are not theoretical edge cases: they are documented behaviours that put cardholder data into system logs where it was never meant to be.
The DIY route through the CFD is not a certified payment path. Building a compliant solution yourself means taking on PCI DSS Level 1 certification, which typically costs upwards of $500,000 in initial work and $200,000 or more per year to maintain. For most businesses and the MSPs serving them, that cost and complexity is entirely out of scope for what should be a standard feature of their phone system.
How Shuttle Adds Payment Capture to 3CX
Shuttle integrates with 3CX without replacing any part of the platform. The customer stays on their call or chat, and the card data never enters 3CX at all.
Trigger a payment session. The agent handling the call or chat initiates a Shuttle payment session from within the 3CX interface or a connected browser tab.
Secure capture begins. For voice calls, the customer is prompted to enter their card details on their keypad. Shuttle captures the DTMF tones with suppression applied: the tones are never written to the 3CX call recording or the call-flow log. For chat, WhatsApp, or SMS channels, Shuttle sends the customer a secure hosted payment link.
Card data stays inside Shuttle. The card number, expiry, and CVV are captured directly into Shuttle's PCI DSS Level 1 environment. The data does not pass through 3CX, its servers, its logs, or the agent's screen.
**Routed to your gateway.** Shuttle processes the transaction through whichever of its 40+ supported gateways is configured for that client or business unit.
Agent sees the result. Once the transaction is complete, the agent receives a masked success or failure status. The call or chat continues without interruption.
How It Works
Agent workflow
The agent keeps the customer on the 3CX call throughout. When payment is needed, the agent triggers a Shuttle session, which takes a few seconds. The customer hears a prompt and enters their card details on their phone keypad. The tones are suppressed before they reach the 3CX recording system, and they are not written to the CFD log. The agent sees only the masked card result and confirms the outcome with the customer. For chat and messaging channels, the agent pastes a payment link into the conversation and waits for the confirmation.
Customer experience
The customer never leaves the call, is not transferred to a third-party IVR, and does not need to call a different number. On voice, the process takes roughly the same time as reading a card number aloud, with the added reassurance that no one on the line can capture the digits. On chat, WhatsApp, or SMS, the customer taps a hosted link, completes payment on a branded page, and returns to the conversation. No app install, no account creation.
Multi-PSP Support
Shuttle connects to 40+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, and Square, all through a single integration. For MSPs managing 3CX deployments across multiple client businesses, this is particularly useful: each client can keep their existing gateway relationship, or be set up with a new one, without requiring a separate integration project per client. Per-client routing means the right gateway is used automatically for each business, and one Shuttle integration covers voice DTMF capture and payment link delivery across the board.
PCI Compliance
Shuttle is a PCI DSS Level 1 Service Provider, the highest level of certification available. Card data is captured entirely inside Shuttle's certified environment and never enters 3CX, its infrastructure, its call recordings, or its system logs.
For most businesses, adding Shuttle moves their payment card environment from a complex SAQ-D self-assessment toward SAQ-A scope, a significantly smaller and simpler compliance burden. The contrast with the CFD DIY approach is direct: using the Credit Card Component without a certified intermediary leaves the business responsible for the full scope of wherever those DTMF digits travel, including the call-flow log when verbose logging is active. Shuttle closes that gap by design.
Beyond Voice: Payment Links
3CX supports live chat, WhatsApp, SMS, and Facebook messaging alongside its voice channels. Shuttle's hosted payment links work across all of them. An agent handling a live chat inquiry can send a payment link directly in the chat window. A customer who reached out via WhatsApp can complete payment without switching to a different channel. SMS campaigns or automated message flows can include a payment link as the call to action. The link experience is the same in each case: a branded hosted page, no app required, confirmation back to the conversation.
For IT Resellers and 3CX Partners
3CX is sold and delivered almost entirely through its Channel Partner Programme, which runs from Bronze through to Titanium tiers. Resellers and MSPs are not just the sales channel: they configure the system, integrate it with other business tools, and take ongoing responsibility for the platform on behalf of their clients. Adding a payment layer is a natural extension of that role.
Shuttle is straightforward to add to a 3CX deployment. There is no per-seat pricing, no monthly platform fee, and no setup charge: the cost is $0.20 per transaction, which scopes cleanly into managed-service delivery. Each client keeps or chooses their own payment gateway from 40+ options, and the MSP manages the Shuttle configuration alongside the rest of the 3CX environment. For resellers serving clients across healthcare, professional services, or collections, where payment over the phone is a regular need, this is a differentiator that adds real value to the deployment.
Use Cases
Bill-Pay and Collections
Utility providers, financial services firms, and collections agencies using 3CX can accept card and direct debit payments on inbound or outbound calls without transferring the customer or switching systems.
Order Taking and Card-Not-Present
Businesses that take telephone orders, from food service to retail, can complete the card transaction while the customer is still on the line, with a full PCI-compliant audit trail.
Account Payments
Professional services firms, clinics, and subscription businesses can handle account payments and outstanding balances on the same call used to discuss the account, without routing to a separate payment IVR.
Bookings and Deposits
Hotels, event organisers, and service businesses that take deposits by phone can capture payment at the point of booking, reducing no-shows and follow-up friction.
FAQ
Does 3CX process payments natively?
No. 3CX does not include a payment processing product. The Credit Card Component in the Call Flow Designer collects DTMF digits from the caller's keypad and passes them to an external API of your choice. Securing those digits, routing them to a payment gateway, and meeting PCI DSS requirements are all handled outside 3CX.
Is the 3CX Call Flow Designer Credit Card Component PCI compliant?
Not by itself. The component collects DTMF digits, but when verbose logging is active in 3CX, those digits can be written to the call-flow log. Call recordings during the DTMF entry phase may also capture the tones. This brings significant PCI scope into the 3CX environment and requires careful scoping, logging controls, and an integration with a certified payment provider to resolve. The component is a building block, not a certified payment path.
How do I take PCI-compliant payments in 3CX?
Connect Shuttle to your 3CX environment. Shuttle handles secure DTMF tone suppression, captures card data inside its PCI DSS Level 1 environment, and routes the transaction to your chosen gateway. Card data does not enter 3CX at any point, which reduces your PCI scope substantially.
Which gateways does Shuttle support?
Shuttle connects to 40+ payment gateways, including Stripe, Adyen, Worldpay, Checkout.com, Braintree, and Square. You can keep your existing gateway relationship or set up a new one.
Can Shuttle handle outbound payment collection in 3CX?
Yes. Agents making outbound calls from 3CX can trigger a Shuttle payment session in the same way as on inbound calls. For outbound SMS or WhatsApp campaigns, Shuttle payment links can be included directly in the message.
Related Reading
Contact centre payments: how payment capture works across inbound and outbound contact centre environments
Embedded payments for CCaaS: adding a payment layer to cloud contact centre and communications platforms
DTMF payments: DTMF clamping, masking, and suppression explained, with PCI compliance context
Payment collection for BPOs: multi-client payment routing for outsourced contact centre operations
Payments for CCaaS implementation partners: how SIs and resellers add embedded payment capability to CCaaS deployments
Take Payments in Your 3CX Phone System
Shuttle adds PCI-compliant card capture to 3CX across voice, chat, WhatsApp, and SMS, with no platform fees and routing to 40+ gateways. Businesses and MSPs can be set up without replacing any part of the existing 3CX environment.
See Payment Services | Book a discovery call