The Contact Centre Payment Problem
Contact centres handle millions of payment transactions daily. Insurance premiums. Utility bills. Debt collections. Subscription renewals. Travel bookings. Order payments.
Every one of these transactions creates a PCI compliance problem.
The moment a customer reads a card number to an agent, that data has entered your environment. It's in the audio stream. It may be in a call recording. It's been heard by a human. And depending on your infrastructure, it may have passed through systems that aren't PCI certified.
Most contact centres deal with this in one of three ways:
Accept the risk. Agents take card details verbally, processes are "tightened," and the business hopes nothing goes wrong. This is still common. It's also a breach waiting to happen.
Avoid phone payments entirely. Agents direct customers to a website or send a payment link after the call. This works but breaks the conversation, increases drop-off, and frustrates customers who called specifically to pay.
Deploy a secure payment capture solution. Card data is captured within a PCI-compliant environment during the call — the agent never hears, sees, or accesses it.
Option 3 is the only one that scales.
What PCI Compliance Actually Requires
PCI DSS (Payment Card Industry Data Security Standard) applies to every organisation that stores, processes, or transmits cardholder data. If your contact centre handles card payments in any form, you're in scope.
The Scope Problem
Traditional contact centre payment flows put almost everything in PCI scope:
Telephony systems — because card data passes through them
Call recording platforms — because recordings contain card numbers
Agent workstations — because agents see or hear card data
Network infrastructure — because card data traverses it
CRM systems — if agents type card details into them
This is PCI SAQ-D territory — the most demanding self-assessment questionnaire, with 300+ requirements covering network segmentation, encryption, access controls, monitoring, vulnerability management, and more.
The annual cost of maintaining PCI DSS Level 1 compliance for this kind of environment runs into millions.
The De-Scoping Approach
The alternative is to remove card data from your environment entirely. If card data never touches your telephony, recordings, agents, or network, your PCI scope drops to SAQ-A — the lightest level.
This means:
Card data is captured within an external PCI-certified environment
DTMF tones are stripped from the audio stream before reaching your systems
Agents stay on the call but cannot hear keypad tones
Recordings contain no card data
Your CRM receives only a transaction result (approved/declined) and a token — not card numbers
The payment provider carries the PCI burden. You don't.
Three Approaches to Secure Contact Centre Payments
1. Pause-and-Resume
The agent pauses call recording, asks the customer for card details, processes the payment, and resumes recording.
How it works: The agent manually (or via a button) pauses the recording system, takes card details verbally, enters them into a payment terminal or software, and then resumes recording.
The problem: This reduces recording exposure but doesn't solve the fundamental issue. The agent still hears the card number. The telephony system still carries the data. The agent's workstation is still in scope. And "pausing" recording depends on human compliance — agents forgetting to pause, pausing late, or resuming early all create gaps.
PCI impact: Still SAQ-D. Most of your environment remains in scope.
Verdict: A compliance band-aid, not a solution. QA and audit teams increasingly reject this approach.
2. DTMF Capture with Tone Suppression
The customer enters card details via keypad. DTMF tones are captured within a PCI-certified environment and suppressed from the audio stream — the agent hears silence or masking tones while the customer types.
How it works: When payment capture begins, the call's audio is routed through a PCI-compliant payment layer. The customer's keypad tones are intercepted and processed within this environment. The agent remains on the call, can talk to the customer, but cannot hear the tones. Only a masked confirmation (e.g., "I can see the last four digits are 4242") is returned.
The advantage: Card data never enters your environment. The agent stays connected for conversation and reassurance. Recordings are clean. Your PCI scope drops to SAQ-A.
PCI impact: SAQ-A — minimal scope. The PCI burden sits with the payment provider.
Verdict: The most mature and widely adopted approach for agent-assisted contact centre payments. For a comprehensive overview, see What Are Voice Payments? The Complete Guide.
3. AI Agent Payment Capture
An AI voice agent handles the conversation and triggers payment capture autonomously — via DTMF, speech-to-text within a PCI boundary, or an SMS payment link.
How it works: The AI agent determines when a payment should be captured, triggers the payment layer, and the customer enters card details via keypad or receives a payment link. The AI model never processes card data. The payment layer handles capture, tokenisation, and gateway routing.
The advantage: Fully automated. No human involvement. Scales without adding agents. Works for inbound payments (renewals, bills) and outbound (collections, sales).
PCI impact: Same as DTMF — SAQ-A if the architecture is right.
Verdict: The emerging approach for AI-first contact centres. In production today with providers processing payments across regulated industries. See How AI Agents Process Payments and AI Voice Agents and Payments: The PolyAI Deep Dive for detailed architecture guides.
What to Evaluate in a Contact Centre Payment Solution
PCI Certification
Is the provider PCI DSS Level 1 certified as a Service Provider? This is the highest level — required for providers handling large transaction volumes. Don't accept Level 2 or self-assessed certifications for production deployments.
DTMF Suppression Quality
Does tone suppression happen at the telephony layer (reliable) or in software post-processing (less reliable)? Can agents hear any residual tones? What happens during the suppression window — silence, masking tones, or music?
Gateway Support
How many payment gateways does the solution support? This matters if:
You serve clients with different PSP relationships
You operate across regions with different acquirers
Your enterprise clients mandate specific gateways
You need failover routing between processors
A single-gateway solution works until it doesn't. Multi-PSP support through a single integration prevents gateway lock-in.
Channel Coverage
Does the solution support:
IVR (automated payments without an agent)?
Agent-assisted (DTMF with the agent on the line)?
AI agents (autonomous payment capture)?
SMS payment links (fallback when phone capture isn't practical)?
Your needs will evolve. A solution that handles one channel today should support others without re-integration.
Carrier Compatibility
Does the solution require a specific telephony provider? Does it work with your existing carrier via SIP? Carrier lock-in creates the same dependency problem as gateway lock-in.
Agent Experience
What does the agent see during payment capture? A good solution provides:
Real-time status (waiting for input, validating, processing)
Masked confirmation (last four digits)
Transaction result (approved/declined)
Ability to send an SMS payment link if DTMF fails
Reporting and Reconciliation
Can you track payment activity, apply refunds, and reconcile transactions from a single dashboard? Can merchants (if you're a platform) self-serve reporting through a white-label portal?
Common Objections
"Our current process works fine." It works until an audit, a breach, or a client security review exposes the gap. PCI non-compliance carries fines of $5,000-$100,000 per month, liability for breach costs, and potential loss of the ability to process card payments.
"Customers won't use the keypad." Completion rates for DTMF-based voice payments consistently exceed 70%. Customers are familiar with keypad entry from phone banking. For those who prefer not to use the keypad, SMS payment links offer a visual alternative without ending the call.
"Adding another system increases complexity." A secure payment layer replaces complexity. Without it, you're managing PCI compliance across your entire telephony and recording stack. With it, you manage a single integration and the PCI burden sits with the provider.
"We'll handle it when we scale." PCI compliance isn't a scale problem — it's a binary. You either handle card data securely or you don't. The risk exists from the first transaction.
FAQ
What is PCI DSS and does it apply to contact centres? PCI DSS is the Payment Card Industry Data Security Standard. It applies to any organisation that stores, processes, or transmits cardholder data. If your contact centre takes card payments over the phone, you're in scope.
What's the difference between SAQ-A and SAQ-D? SAQ-A is a short self-assessment (around 20 requirements) for businesses that fully outsource card data handling. SAQ-D is the full assessment (300+ requirements) for businesses that process card data in their own environment. Using a secure payment capture solution can move you from SAQ-D to SAQ-A.
Can agents still talk to customers during payment capture? Yes. With DTMF suppression, the voice channel stays open. The agent can guide the customer ("please enter your 16-digit card number now") without hearing the keypad tones. The conversation continues naturally.
How long does implementation take? Pre-built connectors can be live within hours to days. Custom telephony integrations (via SIP) typically take one to two weeks with a single developer.
What if a customer doesn't have a phone with a keypad? Send an SMS payment link during the call. The customer completes payment on their device — supporting cards, digital wallets (Apple Pay, Google Pay), and bank transfers — while the conversation continues.
Need secure payments in your contact centre? Shuttle Voice Checkout connects your voice flows to 16+ payment gateways with PCI DSS Level 1 compliance. DTMF suppression, SMS payment links, and AI agent support — live in days.
[Get Started] | [See Voice Checkout]