Retell AI lets developers build production-grade AI voice agents fast. Its API-first platform handles the hard parts of voice AI, so teams can focus on the conversation rather than the telephony stack. But when one of those agents needs to take a payment, the card details have to be handled somewhere other than the AI pipeline.
This guide covers how to take PCI-compliant payments on Retell AI voice agents using Shuttle, so your agents can collect card payments during a call without putting your application or Retell's platform in PCI scope. It is written as "payments done right on Retell, with Shuttle": Retell runs the conversation, Shuttle runs the secure payment.
Developers are building appointment booking agents, outbound sales callers, customer service bots, and lead qualification systems on Retell. Many of those use cases end with a payment. A customer confirms a booking and needs to pay. A caller agrees to settle an outstanding bill. A lead converts and wants to purchase.
Retell deliberately focuses on the conversation, not card handling, and that is the right design. The AI model must never see, hear, or process cardholder data. That is a PCI DSS requirement. The secure pattern, which Retell itself recommends, is to hand the call off to a dedicated payment layer before any card details are entered, so the card number never reaches Retell or the LLM.
Shuttle is that payment layer. When it is time to pay, the card is captured in a secure, PCI DSS Level 1 call at the point of capture (today, via Twilio Pay), and the result comes back to your application. The card digits never touch your application or Retell's platform.
The Payment Challenge for Retell AI
Retell AI is a developer platform. That means the teams building on it are making their own architectural decisions, and when they hit the payment question, they face the same compliance reality that every voice AI platform faces.
Card data cannot enter the AI pipeline. If a customer presses their card digits during a Retell call, those DTMF tones are cardholder data under PCI DSS. Retell is not PCI DSS Level 1 certified, and its PII redaction runs after the language model has already processed the input, so capturing card details inside the Retell call would still pull your stack into PCI scope. That includes Retell's speech infrastructure, your LLM, your call recordings, your database, and every network path connecting them. The card entry has to happen off Retell entirely.
Building your own payment capture is not viable. PCI DSS Level 1 certification costs $500,000+ initially and $200,000+ per year. It requires a Qualified Security Assessor, quarterly vulnerability scans, annual penetration testing, and strict controls on every system that handles card data. For a startup or small team building on Retell, that is not a realistic investment.
Redirecting to a separate system breaks the experience. If your Retell agent has to tell the customer "Please hang up and call our payment line," the seamless AI experience breaks down. The customer waits, gets confused, or drops off entirely. The goal is to keep the customer on the line and hand the call to a secure payment environment, rather than send them away.
The solution is a payment layer the agent can hand the call to, that captures card data in an isolated PCI-compliant environment and returns the result, without the card ever passing through Retell.
How Shuttle Integrates with Retell AI
Shuttle provides the payment infrastructure that Retell AI agents need. The integration is API-driven, which fits Retell's developer-first model: your application code orchestrates the payment flow, and the card itself is captured by Shuttle in its PCI DSS Level 1 certified environment, never by Retell.
Here's the architecture:
Your Retell agent manages the conversation: Intent recognition, customer interaction, amount confirmation, all handled by your agent's LLM and Retell's voice infrastructure.
A secure PCI capture is triggered for payment: When payment is needed, the card capture runs as a secure, PCI DSS Level 1 call at the point of capture. Today this runs over Twilio Pay, with Shuttle as the certified capture and gateway connector.
Shuttle captures the card: The customer enters their card details on their keypad during that secure PCI call. The digits are captured by Shuttle in its certified environment, so they never reach Retell or the LLM.
Payment is processed: Shuttle tokenises the card and routes it to your configured payment gateway. The authorisation happens entirely within Shuttle's certified environment.
Result returned to your application: Shuttle sends a webhook with the transaction outcome (success or failure, a transaction reference, and a masked card number), which your application uses to confirm the payment.
Retell handles the voice. Shuttle handles the card. Your application ties them together. One honest caveat worth setting expectations on up front: the secure PCI capture at the point of payment is available now, but cleanly returning the caller to the same Retell agent afterwards is not yet turnkey. See Call control: what's live today.
How It Works: Step by Step
Here's what happens during a live call with a Retell AI agent integrated with Shuttle:
Step 1: Payment intent recognised. Your Retell agent detects that the customer wants to pay. This could be explicit ("I'd like to pay for my appointment") or triggered by your application logic (a booking is confirmed and payment is due).
Step 2: Amount confirmed. The agent says: "The total for your appointment is $85.00. I'll connect you to our secure payment line to take your card details."
Step 3: Secure capture triggered. At the point of payment, a secure PCI DSS Level 1 call takes over the card capture (today, via Twilio Pay, with Shuttle as the certified connector). This is the key step: the card is captured inside that secure PCI call, so it never touches Retell or the LLM.
Step 4: Card details entered securely. During the secure PCI call, the customer is prompted to enter their card number, expiry, and CVV on their phone keypad. Shuttle captures the digits inside its certified environment.
Step 5: Payment processed. Shuttle tokenises the card data and sends it to your payment gateway for authorisation. This takes a few seconds.
Step 6: Result returned. Shuttle sends the outcome to your application via webhook: success or failure, a transaction reference, and a masked card number. Your application records the result and confirms the payment to the customer.
The customer stays on the line throughout. There is no "hang up and call another number." The card is captured by Shuttle, not Retell, which is what keeps your stack out of PCI scope.
Call control: what's live today
This is the part most guides gloss over, so we'll be straight about it.
Available now (Twilio Pay product): the card capture runs as a secure, PCI DSS Level 1 call at the point of capture. When it is time to pay, the secure capture takes the card, the customer pays, and your application receives the result. The card never passes through Retell.
Not yet available on the Twilio-only product: Shuttle being present for the entire call, or being dialed in at exactly the right moment. Today, the secure capture is scoped to the point of capture, not the whole conversation. The carrier-agnostic version landing later in 2026 is where this fuller call control is headed.
The practical consequence: cleanly returning the caller to the same Retell agent and call after payment is not turnkey today. Retell's own call transfer is largely one-way, and Shuttle is not yet riding the full call to hand control back. A clean resume is something we are actively building, not a finished feature.
If your flow needs the agent to pick the conversation back up seamlessly after payment, talk to us about where this work is, and we will give you the honest current state rather than overpromise.
Multi-PSP Support
If you're building on Retell AI, you might be a startup using Stripe. Or you might be building for an enterprise customer that requires Adyen. Or you might be building a multi-tenant application where each of your customers uses a different gateway.
Shuttle connects to 30+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, Mollie, and others. Your Shuttle configuration determines which gateway processes each transaction.
For developers building multi-tenant applications on Retell, this is particularly valuable:
Per-tenant gateway configuration: Each of your customers can use their own PSP
Single integration: You integrate with Shuttle once. Gateway routing is configuration, not code.
Multi-PSP routing: Route by currency, region, card type, or custom rules
Failover: Automatic fallback to a secondary gateway if the primary is unavailable
This means you can offer payment capability to all your customers without building and maintaining separate gateway integrations for each one.
PCI Compliance
For developers building on Retell AI, PCI compliance is the single biggest reason to use a payment layer rather than building card capture yourself.
What stays in your application / Retell:
Conversation management and agent logic
Payment amount calculation and confirmation
Initiating the handoff to Shuttle
Transaction result handling (webhook with non-sensitive data)
None of this is cardholder data. Your application and Retell's platform stay out of PCI scope.
What stays in Shuttle:
Secure card capture after the handoff
Card data tokenisation
Gateway communication and authorisation
Secure prompt playback
All within Shuttle's PCI DSS Level 1 certified environment.
Call recordings: because the card is entered during the secure PCI capture, the card details are never part of the audio Retell processes or records. Any call recordings you store on Retell do not contain cardholder data. There are no card digits in your recordings, your logs, or your database.
Your PCI scope: with Shuttle handling all card data, your application qualifies for SAQ-A, the simplest PCI compliance tier. You are not storing, processing, or transmitting cardholder data. Your PCI obligation is limited to the API calls between your server and Shuttle, which contain no card data.
Shuttle is a PCI DSS Level 1 certified Service Provider. That covers the full pipeline: capture, tokenisation, gateway routing, and authorisation.
Beyond Voice: Payment Links
The secure PCI capture at the point of payment is the primary method during voice calls, but Shuttle also supports payment links, and for some Retell use cases, they are the better option.
During a Retell call, your agent can tell the customer: "I've just sent a secure payment link to your mobile." Shuttle generates a hosted checkout page and delivers it via SMS. The customer taps the link, enters their card details on the secure page, and completes the payment. The result is returned to your application.
Payment links are useful for:
Higher-value transactions: Customers may prefer to see the amount and merchant details on screen before entering their card
Mobile-first customers: If the caller is on a mobile phone, switching to a browser is seamless
Accessibility: Customers who find keypad entry difficult can use the visual checkout instead
Post-call payments: Your agent can send a payment link at the end of a call for the customer to complete later
Both methods use the same Shuttle infrastructure and PCI-compliant environment. Your application logic decides which method to use based on context.
Use Cases
Retell agents tend to cluster around a few high-value workflows, and most of them end in a payment. Here is where Shuttle fits.
Appointment Booking (Clinics, Salons, Services)
Booking agents for clinics, dental practices, salons, and service businesses confirm an appointment and then need a deposit or full payment to secure it. The Retell agent confirms the slot, states the amount, and triggers the secure card capture, all before the customer hangs up. Taking payment at the point of booking is a common way to reduce no-shows.
Outbound Sales and Collections
Outbound Retell agents that close sales or chase outstanding balances need to capture payment at the moment of agreement. The agent triggers the secure card capture the instant the customer commits, so there is no callback and no link that goes unclicked.
Lead Qualification to Purchase
When an inbound agent qualifies a lead and the conversation turns into a sale, the payment has to happen in the same call or momentum is lost. Shuttle lets the agent move straight from "you're a fit" to taking payment, by handing the call to the secure payment line, rather than routing to a human.
Customer Service Bill-Pay
Support agents handling account queries frequently get asked "can I just pay my bill now?" With Shuttle, the Retell agent hands the call to the secure payment environment in the same conversation, rather than transferring the customer to a separate payment line.
Developer Integration
Retell AI is a developer platform, so the Shuttle integration is designed to fit into a typical development workflow:
API-driven. Initiate the payment handoff, configure gateways, and receive webhooks via REST API. No SDKs required (though they're available).
Built on Twilio Pay today. The secure card capture currently runs over Twilio Pay, where Shuttle is the certified payment connector. A carrier-agnostic version is landing later in 2026.
Webhook-based results. Transaction outcomes are delivered via webhook to your application server. Parse the payload, update your database, and confirm the payment to the customer.
Test mode available. Test the full payment flow with test card numbers before going live. Same API, same flow, no real charges.
[$0.20 per successful transaction](/pricing/). No setup fees, no monthly minimums, no per-seat licensing. You pay for successful transactions, not infrastructure.
FAQ
Can I capture card payments directly inside a Retell call? No. Retell is not PCI DSS Level 1 certified, and its PII redaction runs after the language model has already processed the input, so capturing card digits inside the Retell call would keep your stack in PCI scope. The secure pattern, which Retell itself recommends, is to hand the call off to a dedicated payment layer before any card details are entered. Shuttle is that handoff.
Is Retell PCI compliant? Retell is not a PCI DSS Level 1 certified payment processor, and it is not designed to be one. It runs the conversation. Payments are handled off-platform by Shuttle, which is PCI DSS Level 1 certified, so Retell and your application stay out of scope.
After payment, does the call return to my Retell agent automatically? The secure PCI card capture is available now on the Twilio Pay product. Cleanly returning the caller to the same Retell agent and call after payment is not yet turnkey: today the secure capture is scoped to the point of capture, Shuttle does not yet ride the full call, and Retell's own transfer is largely one-way. Shuttle being present for the entire call (or dialed in at the right moment) is on the roadmap with the carrier-agnostic version. We will give you the honest current state for your flow rather than overpromise.
What payment gateways does Shuttle support? 30+ gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and others. You configure your gateway in Shuttle and it handles the routing.
Can I build PCI-compliant payment capture myself on Retell? Technically, but the cost is prohibitive. PCI DSS Level 1 certification requires $500,000+ upfront and $200,000+/year in ongoing compliance costs. Shuttle provides the same capability at $0.20 per successful transaction.
Can I use this for outbound calls? Yes. If your Retell agent makes outbound calls and needs to collect payment during the call, the same secure Shuttle capture works. The capture is triggered identically to inbound calls.
Related Reading
How AI Voice Agents Take PCI-Compliant Payments: The technical architecture for secure payment capture during AI voice calls
What Are Voice Payments? The Complete Guide: IVR, agent-assisted, and AI voice payment models compared
Vapi Payments: PCI-compliant payment capture for voice agents built on Vapi
Bland AI Payments: secure payment capture for Bland AI phone agents
Dialpad Payments: Secure voice payments for Dialpad Ai Contact Center
RingCentral Payments: PCI-compliant payment capture for RingCX and RingEX
The Payment Layer for AI Agents: Why AI agents need a dedicated payment layer
Contact Centre Payments: PCI-compliant payment capture for contact centres
Add Payments to Your Retell AI Agents
Shuttle is Twilio's official payment partner and a PCI DSS Level 1 certified Service Provider. If you're building voice agents on Retell AI and need PCI-compliant payment capture:
See Voice Checkout | Book a discovery call