PolyAI deploys AI voice agents that handle hundreds of millions of conversations a year across insurance, hospitality, telecoms, and financial services. These agents handle everything from booking confirmations to policy renewals to account queries — autonomously, at scale, without human agents.
But every one of those conversations hits the same wall: "I'd like to pay now."
AI voice agents — no matter how sophisticated — cannot natively process card payments. The AI model must never see, hear, or process cardholder data. That's not a product limitation. It's a compliance requirement under PCI DSS. A voice agent built on PolyAI needs a payment layer that can take the card securely and return the result, without the AI agent ever touching sensitive data.
Shuttle is that payment layer. Shuttle has no native integration with PolyAI. Instead, your application code invokes Shuttle's Twilio-based payment setup (Shuttle is Twilio's preferred payments partner). At the point of payment, the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay, so the card digits are captured inside Shuttle's certified environment and never reach PolyAI, the LLM, or the agent. To use this path, you must be a Twilio customer, and your team builds the orchestration that triggers the handoff.
The Payment Challenge for PolyAI
PolyAI's voice agents are built on large language models fine-tuned for conversational AI. They understand context, handle complex multi-turn dialogues, and integrate with backend systems via APIs. But payments create a problem that no amount of model sophistication can solve.
The moment a customer reads out a card number or enters it via their keypad, that data is cardholder data under PCI DSS. If it enters PolyAI's audio pipeline — even as raw audio that gets transcribed — PolyAI's entire voice infrastructure is in PCI scope. That includes the ASR pipeline, the LLM inference layer, call recordings, transcription storage, and every network segment those systems touch.
PCI DSS Level 1 certification for that footprint would cost upwards of $500,000 in the first year, with $200,000+ in ongoing annual costs. It would also impose constraints on model training, data retention, and infrastructure architecture that would fundamentally slow down PolyAI's product development.
The correct answer is to keep cardholder data out of PolyAI's platform entirely. That's what Shuttle does.
How Shuttle Works with PolyAI Today
Shuttle has no native integration with PolyAI. The handoff is API-driven: your application code triggers the Shuttle payment handoff, and the card is captured by Shuttle inside its PCI DSS Level 1 certified environment, never by PolyAI. To use the secure voice capture, you must be a Twilio customer, because today the capture runs over Twilio Pay, where Shuttle is Twilio's preferred payments partner.
Shuttle provides ready-made interfaces for payment links plus the capture/IVR and the APIs. Your team builds the agent-side orchestration that triggers the handoff. You can build and validate the flow against Shuttle's sandbox gateway and demo app before going live. A deeper, native PolyAI integration is possible only as a paid project.
Here's the architecture:
PolyAI manages the conversation — The AI agent handles intent recognition, customer authentication, amount confirmation, and all conversational logic. It knows the customer wants to pay and how much they owe.
The call is handed to Shuttle's secure capture — When payment is triggered, the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay. It operates within Shuttle's certified environment, completely isolated from PolyAI's infrastructure.
Card capture in isolation — The customer enters their card on the keypad during the secure capture. The digits are captured by Shuttle inside its certified environment, so they never reach PolyAI, the LLM, or any recording.
Gateway routing — Shuttle tokenises the card data and routes it to the appropriate payment gateway. The gateway is determined by the merchant's configuration — different PolyAI customers can use different PSPs.
Result returned — Shuttle fires a webhook with the transaction result: success or failure, a transaction ID, and a masked card reference. No card data. Your application records the result, and PolyAI's agent confirms the payment in natural language.
One honest caveat to set expectations on up front: the secure capture at the point of payment is live now via Twilio Pay. Shuttle being present for the entire call, or cleanly returning the caller to the same PolyAI agent afterwards, is not yet turnkey. A carrier-agnostic version, which removes the Twilio requirement, is landing later in 2026.
How It Works: Step by Step
Here's what happens during a live PolyAI call when a customer is ready to pay:
Step 1: Payment intent recognised. The PolyAI agent detects that the customer wants to make a payment. This might be explicit ("I'd like to pay my bill") or contextual (the agent has just confirmed an outstanding balance and the customer agrees to settle it).
Step 2: Amount confirmed. The agent confirms the payment amount: "That's £247.50 for your policy renewal. I'll take your card details now — you'll be prompted to enter them using your keypad."
Step 3: Secure session initiated. PolyAI's platform makes an API call to Shuttle to create a payment session. The request includes the amount, currency, and the merchant's gateway configuration. Shuttle returns a session token.
Step 4: Call handed to secure capture. At the point of payment, the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay, with Shuttle as the certified connector. The card capture happens inside that secure environment, not inside PolyAI.
Step 5: Card details entered. Shuttle plays a secure prompt: "Please enter your 16-digit card number followed by the hash key." The customer enters their card number, expiry date, and CVV via their phone keypad.
Step 6: Digits captured in isolation. The card is captured by Shuttle inside its PCI DSS Level 1 certified environment. No card data enters PolyAI's infrastructure at any point.
Step 7: Payment processed. Shuttle tokenises the card data and sends it to the merchant's configured payment gateway for authorisation. This happens within Shuttle's certified environment.
Step 8: Result returned. The gateway returns an authorisation result. Shuttle sends a webhook: `payment_completed` with the outcome, a transaction reference, and a masked card number (e.g., `**4242`).
Step 9: Conversation continues. Your application records the result, and the PolyAI agent confirms: "Your payment of £247.50 has been processed successfully. Your reference number is TXN-8834. Is there anything else I can help with?"
The customer stays on the line for the secure capture, which keeps the experience close to the IVR keypad entry callers already know. Note that cleanly returning the caller to the same PolyAI agent after payment is not yet turnkey today; talk to us about your flow and we will give you the honest current state.
Multi-PSP Support
PolyAI serves enterprise customers across multiple industries and geographies. Those customers don't all use the same payment gateway.
An insurance company in the UK might process through Worldpay. A hotel chain in the US might use Stripe. A telecoms provider in Europe might route through Adyen. PolyAI can't dictate which PSP its customers use — and it shouldn't have to.
Shuttle connects to 30+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and others. Each customer's payment flow is routed to their configured gateway automatically, and switching gateways is configuration, not re-integration. Shuttle handles the gateway abstraction so you don't need separate integrations for each PSP.
This also enables more sophisticated routing:
Geographic routing — Route UK transactions through Worldpay, US transactions through Stripe
Failover — If the primary gateway is down, automatically route to a backup
Merchant-level configuration — Each customer can have their own gateway setup
One gateway caveat worth knowing: a few gateways (Braintree, for example) do not work for voice capture, because they will not allow raw card data to be passed, but they do work for payment links.
This means payment capability scales with your customer base without multiplying integration complexity.
PCI Compliance
The entire point of the Shuttle integration is to keep PolyAI out of PCI scope for card data. Here's what that means in practice:
What PolyAI handles:
Conversation management, intent recognition, customer authentication
Payment amount confirmation and session initiation
Receiving transaction results (success/failure, reference numbers, masked card details)
None of this is cardholder data. None of it puts PolyAI in PCI scope.
What Shuttle handles:
Card capture during the secure Twilio Pay handoff
Card data tokenisation
Gateway communication and authorisation
All of this happens within Shuttle's PCI DSS Level 1 certified environment.
Call recordings: because the card is entered during the secure PCI capture, the card details are never part of the audio PolyAI processes or records. There is no cardholder data in any recording, transcript, or log that PolyAI stores.
PCI scope for PolyAI customers: Because card data never enters PolyAI's infrastructure, end merchants can self-assess under SAQ-A — the simplest PCI compliance tier. No penetration testing, no ASV scans on their end, no on-site QSA audits for payment processing.
Shuttle is a PCI DSS Level 1 certified Service Provider. That certification covers the full card capture, tokenisation, and gateway routing pipeline.
Beyond Voice: Payment Links
The secure in-call capture is one method, but Shuttle also supports payment links, and they are the turnkey path. During a PolyAI conversation, the AI agent can send a payment link via SMS or email.
Here's how it works: the PolyAI agent confirms the payment amount, then tells the customer "I've just sent a secure payment link to your mobile." Shuttle generates a hosted checkout page and delivers it. The customer taps the link, enters their card details on a secure page, and completes the payment. The result is returned to your application, and the agent confirms it in the conversation.
Payment links are useful when:
The customer is on a mobile and can easily switch to a browser
The transaction involves a higher amount where customers prefer visual confirmation
The caller is uncomfortable entering card details via keypad
The gateway does not support voice capture, for example Braintree
Both methods — secure in-call capture and payment links — are processed through the same Shuttle infrastructure, the same PCI-compliant environment, and the same gateway routing. Your application chooses the appropriate method based on context.
What's Live Today
Being straight about the current state matters more than a polished promise.
Available now: the secure card capture at the point of payment, via Twilio Pay. When it is time to pay, the call is handed to the secure capture, the customer pays, and your application receives the result. The card never passes through PolyAI. Payment links are available now too, and they are the turnkey path.
Not yet turnkey: Shuttle being present for the entire call, or cleanly returning the caller to the same PolyAI agent and call after payment. Today the secure capture is scoped to the point of payment, not the whole conversation.
On the roadmap: a carrier-agnostic version that removes the Twilio requirement, landing later in 2026, is where fuller call control is headed.
If your flow needs the agent to pick the conversation back up seamlessly after payment, talk to us about where this work is, and we will give you the honest current state rather than overpromise.
FAQ
Does Shuttle have a native PolyAI integration? No. Shuttle has no native integration with PolyAI. The handoff is API-driven: your application code triggers Shuttle's Twilio-based payment setup, and at the point of payment the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay. A native PolyAI integration is possible only as a paid project.
Does this require Twilio? Yes, for the secure in-call capture. The capture runs over Twilio Pay today, where Shuttle is Twilio's preferred payments partner, so you must be a Twilio customer. A carrier-agnostic version that removes the Twilio requirement is landing later in 2026.
Can PolyAI agents take payments without Shuttle? Not compliantly. If the AI model processes card data — even as audio — PolyAI's entire infrastructure enters PCI scope. Shuttle provides the PCI-compliant bridge that keeps card data isolated from PolyAI's systems.
What payment gateways does this work with? Shuttle connects to 30+ gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, and others. Switching gateways is configuration, not re-integration. A few gateways (Braintree, for example) do not work for voice capture but do work for payment links.
Does the call return to my PolyAI agent automatically after payment? The secure card capture is available now via Twilio Pay. Cleanly returning the caller to the same PolyAI agent and call after payment is not yet turnkey: today the secure capture is scoped to the point of payment. A clean resume is on the roadmap with the carrier-agnostic version. We will give you the honest current state for your flow rather than overpromise.
What does it cost? Shuttle charges $0.20 per successful transaction for voice, with no setup fees, no monthly minimums, and no per-seat licensing. Payment links are currently free, with a new model coming. For technical detail, see the Shuttle docs: Twilio setup, payment links, and security and PCI.
Related Reading
How AI Voice Agents Take PCI-Compliant Payments — The technical architecture for secure payment capture during AI voice calls
What Are Voice Payments? The Complete Guide — IVR, agent-assisted, and AI voice payment models compared
Twilio Pay Connectors — How Shuttle connects to Twilio's payment infrastructure
The Payment Layer for AI Agents — Why AI agents need a dedicated payment layer
Contact Centre Payments — PCI-compliant payment capture for contact centres
Add Payments to Your AI Voice Agents
Shuttle is Twilio's official payment partner and a PCI DSS Level 1 certified Service Provider. If you're deploying AI voice agents and need PCI-compliant payment capture, talk to us about Voice Checkout or see how it works for platforms.