If you're running a contact centre — for an insurance brokerage, a debt-recovery agency, a utility, a healthcare revenue-cycle team, a hotel chain, or a multi-tenant BPO — you've already met the payment gap. Customers want to pay on the call. Most contact centre platforms don't have a native, PCI-compliant way to capture their card.
Agents reading numbers into recordings drag your environment into PCI scope. Single-PSP partnerships lock you to one acquirer and break when you expand to a new geography. External pay-by-link tools fragment the customer experience and tank conversion. The right answer depends on your platform, your volume, and whether you're a merchant taking the calls or a solution provider implementing contact centres for clients.
This guide is for merchants taking payments through their contact centre, and for solution providers and system integrators deploying CCaaS platforms — Talkdesk, Genesys, Five9, NICE CXone, RingCentral, Amazon Connect, Avaya, Cisco, Vonage, 8x8, Dialpad, Aircall, Zendesk, Intercom — for their clients. It covers what PCI compliance actually requires, the three architectural approaches to secure card capture, what to evaluate in a payment solution, and platform-specific implementation guides for every major CCaaS vendor.
The Contact Centre Payment Problem
Contact centres (call centers) handle millions of payment transactions daily. Insurance premiums. Utility bills. Debt collections. Subscription renewals. Travel bookings. Order payments.
Every one of these transactions creates a PCI compliance problem.
The moment a customer reads a card number to an agent, that data has entered your environment. It's in the audio stream. It may be in a call recording. It's been heard by a human. And depending on your infrastructure, it may have passed through systems that aren't PCI certified.
Most contact centres deal with this in one of three ways:
Accept the risk. Agents take card details verbally, processes are "tightened," and the business hopes nothing goes wrong. This is still common. It's also a breach waiting to happen.
Avoid phone payments entirely. Agents direct customers to a website or send a payment link after the call. This works but breaks the conversation, increases drop-off, and frustrates customers who called specifically to pay.
Deploy a secure payment capture solution. Card data is captured within a PCI-compliant environment during the call — the agent never hears, sees, or accesses it.
Option 3 is the only one that scales.
What PCI Compliance Actually Requires
PCI DSS (Payment Card Industry Data Security Standard) applies to every organisation that stores, processes, or transmits cardholder data. If your contact centre handles card payments in any form, you're in scope.
The Scope Problem
Traditional contact centre payment flows put almost everything in PCI scope:
Telephony systems — because card data passes through them
Call recording platforms — because recordings contain card numbers
Agent workstations — because agents see or hear card data
Network infrastructure — because card data traverses it
CRM systems — if agents type card details into them
This is PCI SAQ-D territory — the most demanding self-assessment questionnaire, with 300+ requirements covering network segmentation, encryption, access controls, monitoring, vulnerability management, and more.
The annual cost of maintaining PCI DSS Level 1 compliance for this kind of environment runs into millions.
The De-Scoping Approach
The alternative is to remove card data from your environment entirely. If card data never touches your telephony, recordings, agents, or network, your PCI scope drops to SAQ-A — the lightest level.
This means:
Card data is captured within an external PCI-certified environment
DTMF tones are stripped from the audio stream before reaching your systems
Agents stay on the call but cannot hear keypad tones
Recordings contain no card data
Your CRM receives only a transaction result (approved/declined) and a token — not card numbers
The payment provider carries the PCI burden. You don't.
Three Approaches to Secure Contact Centre / Call Center Payments
1. Pause-and-Resume
The agent pauses call recording, asks the customer for card details, processes the payment, and resumes recording.
How it works: The agent manually (or via a button) pauses the recording system, takes card details verbally, enters them into a payment terminal or software, and then resumes recording.
The problem: This reduces recording exposure but doesn't solve the fundamental issue. The agent still hears the card number. The telephony system still carries the data. The agent's workstation is still in scope. And "pausing" recording depends on human compliance — agents forgetting to pause, pausing late, or resuming early all create gaps.
PCI impact: Still SAQ-D. Most of your environment remains in scope.
Verdict: A compliance band-aid, not a solution. QA and audit teams increasingly reject this approach.
2. DTMF Capture with Tone Suppression
The customer enters card details via keypad. DTMF tones are captured within a PCI-certified environment and suppressed from the audio stream — the agent hears silence or masking tones while the customer types.
How it works: When payment capture begins, the call's audio is routed through a PCI-compliant payment layer. The customer's keypad tones are intercepted and processed within this environment. The agent remains on the call, can talk to the customer, but cannot hear the tones. Only a masked confirmation (e.g., "I can see the last four digits are 4242") is returned.
The advantage: Card data never enters your environment. The agent stays connected for conversation and reassurance. Recordings are clean. Your PCI scope drops to SAQ-A.
PCI impact: SAQ-A — minimal scope. The PCI burden sits with the payment provider.
Verdict: The most mature and widely adopted approach for agent-assisted contact centre (call center) payments.
3. AI Agent Payment Capture
An AI voice agent handles the conversation and triggers payment capture autonomously — via DTMF, speech-to-text within a PCI boundary, or an SMS payment link.
How it works: The AI agent determines when a payment should be captured, triggers the payment layer, and the customer enters card details via keypad or receives a payment link. The AI model never processes card data. The payment layer handles capture, tokenisation, and gateway routing.
The advantage: Fully automated. No human involvement. Scales without adding agents. Works for inbound payments (renewals, bills) and outbound (collections, sales).
PCI impact: Same as DTMF — SAQ-A if the architecture is right.
Verdict: The emerging approach for AI-first contact centres and call centers. In production today with providers processing payments across regulated industries.
For a deep dive on the AI agent architecture, see How AI Voice Agents Take PCI-Compliant Payments.
What to Evaluate in a Contact Centre / Call Center Payment Solution
PCI Certification
Is the provider PCI DSS Level 1 certified as a Service Provider? This is the highest level — required for providers handling large transaction volumes. Don't accept Level 2 or self-assessed certifications for production deployments.
DTMF Suppression Quality
Does tone suppression happen at the telephony layer (reliable) or in software post-processing (less reliable)? Can agents hear any residual tones? What happens during the suppression window — silence, masking tones, or music?
Gateway Support
How many payment gateways does the solution support? This matters if:
You serve clients with different PSP relationships
You operate across regions with different acquirers
Your enterprise clients mandate specific gateways
You need failover routing between processors
A single-gateway solution works until it doesn't. Multi-PSP support through a single integration prevents gateway lock-in. For BPOs handling payments across multiple clients, this is especially critical — see Payment Collection for BPOs.
Channel Coverage
Does the solution support:
IVR (automated payments without an agent)?
Agent-assisted (DTMF with the agent on the line)?
AI agents (autonomous payment capture)?
SMS payment links (fallback when phone capture isn't practical)?
Your needs will evolve. A solution that handles one channel today should support others without re-integration.
Carrier Compatibility
Does the solution require a specific telephony provider? Does it work with your existing carrier via SIP? Carrier lock-in creates the same dependency problem as gateway lock-in.
Agent Experience
What does the agent see during payment capture? A good solution provides:
Real-time status (waiting for input, validating, processing)
Masked confirmation (last four digits)
Transaction result (approved/declined)
Ability to send an SMS payment link if DTMF fails
Reporting and Reconciliation
Can you track payment activity, apply refunds, and reconcile transactions from a single dashboard? Can merchants (if you're a platform) self-serve reporting through a white-label portal?
Pricing Model
For Solution Providers and System Integrators
If you're a CCaaS implementation partner — a Talkdesk AppConnect partner, a Genesys AppFoundry developer, a NICE partner, a Cisco Solution Partner, an AWS Partner Network member, or an SI deploying any of the platforms above for clients — Shuttle is the payment layer that plugs in alongside your build. We support white-label deployment, multi-PSP routing across your client portfolio (each client keeps their preferred acquirer), and partner-friendly commercials. Shuttle is Twilio's official payment partner and works with the most common contact-centre patterns across all 14 platforms covered in this guide. For partnership conversations, book a discovery call. For the full implementation-partner delivery model — discovery, design, integration, pilot, go-live — see Payments for CCaaS Implementation Partners.
The BPO and Outsourcer Angle
If you're a BPO, call answering service, or outsourced contact centre, the payment problem compounds: you're handling payments for multiple clients, each with their own PSP, their own branding, and their own compliance requirements.
Traditional DTMF solutions are built for single-merchant contact centres (call centers). They don't handle multi-tenant payment routing — where Client A's payments go through Worldpay and Client B's go through Stripe, all from the same agent desktop.
This is where a multi-PSP payment layer designed for platforms and outsourcers becomes essential. One integration, every client's PSP, zero PCI scope for the BPO.
For the full breakdown, see Payment Collection for BPOs: Multiple Clients, Multiple PSPs, Zero PCI Scope.
Common Objections
"Our current process works fine." It works until an audit, a breach, or a client security review exposes the gap. PCI non-compliance carries fines of $5,000–$100,000 per month, liability for breach costs, and potential loss of the ability to process card payments.
"Customers won't use the keypad." Completion rates for DTMF-based voice payments consistently exceed 70%. Customers are familiar with keypad entry from phone banking. For those who prefer not to use the keypad, SMS payment links offer a visual alternative without ending the call.
"Adding another system increases complexity." A secure payment layer replaces complexity. Without it, you're managing PCI compliance across your entire telephony and recording stack. With it, you manage a single integration and the PCI burden sits with the provider.
"We'll handle it when we scale." PCI compliance isn't a scale problem — it's a binary. You either handle card data securely or you don't. The risk exists from the first transaction.
FAQ
What is PCI DSS and does it apply to contact centres? PCI DSS is the Payment Card Industry Data Security Standard. It applies to any organisation that stores, processes, or transmits cardholder data. If your contact centre takes card payments over the phone, you're in scope.
What's the difference between SAQ-A and SAQ-D? SAQ-A is a short self-assessment (around 20 requirements) for businesses that fully outsource card data handling. SAQ-D is the full assessment (300+ requirements) for businesses that process card data in their own environment. Using a secure payment capture solution can move you from SAQ-D to SAQ-A.
Can agents still talk to customers during payment capture? Yes. With DTMF suppression, the voice channel stays open. The agent can guide the customer ("please enter your 16-digit card number now") without hearing the keypad tones. The conversation continues naturally.
How long does implementation take? Pre-built connectors can be live within hours to days. Custom telephony integrations (via SIP) typically take one to two weeks with a single developer.
What if a customer doesn't have a phone with a keypad? Send an SMS payment link during the call. The customer completes payment on their device — supporting cards, digital wallets (Apple Pay, Google Pay), and bank transfers — while the conversation continues.
**How do debt collection agencies handle secure payments?** Debt collection has specific requirements — multiple creditor PSPs, payment plan automation, and strict regulatory oversight. See our dedicated guide: Secure Payment Collection for Debt Agencies.
Payments by CCaaS Platform
Each platform has its own quirks — telephony architecture, agent desktop, AI capabilities, and partner ecosystem. The implementation pattern is similar (multi-PSP routing, DTMF masking, agent-assist UI, payment links) but the specifics differ. Choose your platform below for a step-by-step merchant guide:
Talkdesk Payments — PCI-compliant payments for AI-first contact centres on Talkdesk Autopilot and Copilot.
Genesys Cloud Payments — Multi-PSP payment capture for Genesys Cloud CX, Architect flows, and AI Experience.
Five9 Payments — Voice payments for Five9 — IVA-friendly, multi-PSP, no telephony rebuild.
NICE CXone Payments — PCI-compliant card capture for NICE CXone Studio scripts and Enlighten AI.
RingCentral Payments — Voice payments for RingCX and RingEX, with full RingSense compatibility.
RingCX Payments — Enterprise CCaaS payment integration for RingCentral's dedicated contact-centre product.
Amazon Connect Payments — Payment capture for Amazon Connect Contact Flows via Twilio SIP or direct integration.
Avaya Payments — Payments for Avaya Aura, OneCloud CCaaS, and hybrid on-premises deployments.
Cisco Webex Contact Centre Payments — PCI-compliant payments for Webex CC, UCCE, and UCCX — legacy and modern Cisco estates.
Vonage Contact Centre Payments — Salesforce-integrated payment capture for Vonage VCC and AI Studio scripts.
8x8 Payments — PCI-compliant payments for 8x8 XCaaS, integrated with Intelligent Customer Assistant.
Dialpad Payments — Voice payments for Dialpad — works alongside Dialpad Ai transcription and analytics.
Aircall Payments — Enterprise-grade card capture for Aircall and its HubSpot, Salesforce, and Zendesk connectors.
Zoom Contact Center Payments — PCI-compliant voice payments for Zoom Contact Center, with AI Companion compatibility.
Sprinklr Payments — Multi-channel payment capture for Sprinklr Service — voice and digital, AI++ compatible.
Zendesk Payments — Payment links and voice payments for Zendesk Agent Workspace and Zendesk Talk.
Intercom Payments — Payment links inside Intercom Conversations, plus voice payments via Intercom Phone.
Cresta Payments — PCI-compliant payment capture alongside Cresta agent assist and AI coaching.
Observe.AI Payments — Payment capture for Observe.AI-powered contact centres without entering AI transcript pipelines.
Verint Payments — Keep Verint recording and analytics out of PCI scope while taking card payments.
Get Started
Shuttle adds enterprise-grade, PCI-compliant payment infrastructure to any major contact-centre platform without changes to your telephony, agent training, or customer experience. Most deployments go live in under two weeks across multiple PSPs.
If you take payments in a contact centre, see how Shuttle works for merchants, or book a discovery call to walk through your specific platform and deployment.