PolyAI deploys AI voice agents that handle hundreds of millions of conversations a year across insurance, hospitality, telecoms, and financial services. These agents handle everything from booking confirmations to policy renewals to account queries — autonomously, at scale, without human agents.
But until recently, every one of those conversations hit the same wall: "I'd like to pay now."
AI voice agents — no matter how sophisticated — cannot natively process card payments. The AI model must never see, hear, or process cardholder data. That's not a product limitation. It's a compliance requirement under PCI DSS. And it means PolyAI needed a payment layer that could capture card data mid-conversation, process it securely, and return the result — without the AI agent ever touching sensitive data.
Shuttle is that payment layer. PolyAI agents integrated with Shuttle achieve a 75% payment completion rate with zero human handoffs. The customer never leaves the conversation. The AI agent never enters PCI scope.
The Payment Challenge for PolyAI
PolyAI's voice agents are built on large language models fine-tuned for conversational AI. They understand context, handle complex multi-turn dialogues, and integrate with backend systems via APIs. But payments create a problem that no amount of model sophistication can solve.
The moment a customer reads out a card number or enters it via their keypad, that data is cardholder data under PCI DSS. If it enters PolyAI's audio pipeline — even as raw audio that gets transcribed — PolyAI's entire voice infrastructure is in PCI scope. That includes the ASR pipeline, the LLM inference layer, call recordings, transcription storage, and every network segment those systems touch.
PCI DSS Level 1 certification for that footprint would cost upwards of $500,000 in the first year, with $200,000+ in ongoing annual costs. It would also impose constraints on model training, data retention, and infrastructure architecture that would fundamentally slow down PolyAI's product development.
The correct answer is to keep cardholder data out of PolyAI's platform entirely. That's what Shuttle does.
How Shuttle Integrates with PolyAI
The integration architecture is clean and deliberate. PolyAI handles the conversation. Shuttle handles the payment. The two systems communicate via API, but cardholder data never crosses the boundary.
Here's the architecture:
PolyAI manages the conversation — The AI agent handles intent recognition, customer authentication, amount confirmation, and all conversational logic. It knows the customer wants to pay and how much they owe.
Shuttle manages the payment — When payment is triggered, Shuttle takes control of the card capture channel. It operates within its own PCI DSS Level 1 certified environment, completely isolated from PolyAI's infrastructure.
DTMF capture in isolation — Card digits entered via the customer's keypad are captured exclusively by Shuttle. The DTMF tones are stripped from PolyAI's audio stream and replaced with flat masking tones. Call recordings contain no card data.
Gateway routing — Shuttle tokenises the card data and routes it to the appropriate payment gateway. The gateway is determined by the merchant's configuration — different PolyAI customers can use different PSPs.
Result returned — Shuttle fires a webhook with the transaction result: success or failure, a transaction ID, and a masked card reference. No card data. PolyAI's agent picks up and confirms the payment in natural language.
The entire card capture takes seconds. The customer stays on the line. The AI agent continues the conversation as if nothing happened — because from its perspective, it simply sent a request and received a result.
How It Works: Step by Step
Here's what happens during a live PolyAI call when a customer is ready to pay:
Step 1: Payment intent recognised. The PolyAI agent detects that the customer wants to make a payment. This might be explicit ("I'd like to pay my bill") or contextual (the agent has just confirmed an outstanding balance and the customer agrees to settle it).
Step 2: Amount confirmed. The agent confirms the payment amount: "That's £247.50 for your policy renewal. I'll take your card details now — you'll be prompted to enter them using your keypad."
Step 3: Secure session initiated. PolyAI's platform makes an API call to Shuttle to create a payment session. The request includes the amount, currency, and the merchant's gateway configuration. Shuttle returns a session token.
Step 4: Audio stream splits. The call audio bifurcates. Shuttle takes control of the DTMF capture channel. The main audio stream — the one that feeds PolyAI's AI model and any call recording — is isolated from the card capture channel.
Step 5: Card details entered. Shuttle plays a secure prompt: "Please enter your 16-digit card number followed by the hash key." The customer enters their card number, expiry date, and CVV via their phone keypad.
Step 6: DTMF tones masked. The keypad tones are captured by Shuttle and stripped from the main audio stream. PolyAI's systems receive flat replacement tones. No card data enters PolyAI's infrastructure at any point.
Step 7: Payment processed. Shuttle tokenises the card data and sends it to the merchant's configured payment gateway for authorisation. This happens within Shuttle's PCI DSS Level 1 certified environment.
Step 8: Result returned. The gateway returns an authorisation result. Shuttle sends a webhook to PolyAI: payment_completed with the outcome, a transaction reference, and a masked card number (e.g., ****4242).
Step 9: Conversation resumes. The PolyAI agent confirms: "Your payment of £247.50 has been processed successfully. Your reference number is TXN-8834. Is there anything else I can help with?"
The customer experience is seamless. The compliance architecture is bulletproof. The 75% completion rate reflects the fact that customers are comfortable with keypad entry — they've been doing it on IVR systems for decades — and the AI agent's conversational guidance eliminates the confusion that typically causes drop-offs.
Multi-PSP Support
PolyAI serves enterprise customers across multiple industries and geographies. Those customers don't all use the same payment gateway.
An insurance company in the UK might process through Worldpay. A hotel chain in the US might use Stripe. A telecoms provider in Europe might route through Adyen. PolyAI can't dictate which PSP its customers use — and it shouldn't have to.
Shuttle connects to 16+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and others. Each PolyAI customer's payment flow is routed to their configured gateway automatically. Shuttle handles the gateway abstraction so PolyAI doesn't need separate integrations for each PSP.
This also enables more sophisticated routing:
Geographic routing — Route UK transactions through Worldpay, US transactions through Stripe
Failover — If the primary gateway is down, automatically route to a backup
Merchant-level configuration — Each PolyAI customer can have their own gateway setup without PolyAI managing any of it
For PolyAI, this means payment capability scales with their customer base without multiplying integration complexity.
PCI Compliance
The entire point of the Shuttle integration is to keep PolyAI out of PCI scope for card data. Here's what that means in practice:
What PolyAI handles:
Conversation management, intent recognition, customer authentication
Payment amount confirmation and session initiation
Receiving transaction results (success/failure, reference numbers, masked card details)
None of this is cardholder data. None of it puts PolyAI in PCI scope.
What Shuttle handles:
DTMF capture and decoding
Card data tokenisation
Gateway communication and authorisation
All of this happens within Shuttle's PCI DSS Level 1 certified environment.
Call recordings: DTMF tones are stripped from the audio stream before they reach any recording system. Call recordings contain flat masking tones during the payment segment. There is no cardholder data in any recording, transcript, or log that PolyAI stores.
PCI scope for PolyAI customers: Because card data never enters PolyAI's infrastructure, PolyAI's customers can self-assess under SAQ-A — the simplest PCI compliance tier. No penetration testing, no ASV scans on their end, no on-site QSA audits for payment processing.
Shuttle is a PCI DSS Level 1 certified Service Provider. That certification covers the full card capture, tokenisation, and gateway routing pipeline.
Beyond Voice: Payment Links
DTMF keypad entry is the primary payment capture method during AI voice calls, but it's not the only option. During a PolyAI conversation, the AI agent can also send a payment link via SMS.
Here's how it works: the PolyAI agent confirms the payment amount, then tells the customer "I've just sent a secure payment link to your mobile." Shuttle generates a hosted checkout page and delivers it via SMS. The customer taps the link, enters their card details on a secure page, and completes the payment. The result is returned to the PolyAI agent, which confirms it in the conversation.
Payment links are useful when:
The customer is on a mobile and can easily switch to a browser
The transaction involves a higher amount where customers prefer visual confirmation
The caller is uncomfortable entering card details via keypad
The conversation is happening via a channel where DTMF isn't available
Both methods — DTMF and payment links — are processed through the same Shuttle infrastructure, the same PCI-compliant environment, and the same gateway routing. The PolyAI agent chooses the appropriate method based on context.
Results
The PolyAI + Shuttle integration isn't theoretical. It's live, processing payments across enterprise deployments.
75% completion rate. Three out of four customers who reach the payment step complete the transaction. That's significantly higher than typical IVR payment flows, where drop-off rates of 40-60% are common. The difference is the AI agent: it guides the customer through the process conversationally, handles confusion, and provides real-time feedback.
Zero human handoffs. The entire flow — conversation, payment capture, confirmation — happens without a human agent. No warm transfers. No "let me put you through to our payments team." The AI agent handles it end to end.
No PCI scope expansion for PolyAI. PolyAI's infrastructure remains completely out of scope for cardholder data. Their customers benefit from the same scope reduction.
FAQ
Can PolyAI agents take payments without Shuttle? Not compliantly. If the AI model processes card data — even as audio — PolyAI's entire infrastructure enters PCI scope. Shuttle provides the PCI-compliant bridge that keeps card data isolated from PolyAI's systems.
What payment gateways does this work with? Shuttle connects to 16+ gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, and others. Each PolyAI customer can use their own preferred gateway.
How long does the payment capture take? The DTMF card entry typically takes 20-30 seconds. The customer stays on the line with the AI agent throughout.
Does the customer need to be transferred to complete payment? No. The payment happens within the same call. There's no transfer, no hold music, no separate IVR system. The AI agent triggers the payment flow and receives the result — the customer experience is seamless.
What does it cost? Shuttle charges $0.20 per transaction with no setup fees, no monthly minimums, and no per-seat licensing.
Related Reading
How AI Voice Agents Take PCI-Compliant Payments — The technical architecture for secure payment capture during AI voice calls
What Are Voice Payments? The Complete Guide — IVR, agent-assisted, and AI voice payment models compared
Twilio Pay Connectors — How Shuttle connects to Twilio's payment infrastructure
The Payment Layer for AI Agents — Why AI agents need a dedicated payment layer
Contact Centre Payments — PCI-compliant payment capture for contact centres
PCI Pal Alternatives — How Shuttle compares to PCI Pal for voice payments
Add Payments to Your AI Voice Agents
Shuttle is Twilio's official payment partner and a PCI DSS Level 1 certified Service Provider. If you're deploying AI voice agents and need PCI-compliant payment capture, talk to us about Voice Checkout or see how it works for platforms.