Three Scenarios, One Compliance Problem
Debt collection agencies collect payments through three distinct scenarios — and each one creates a PCI challenge.
Scenario 1: Inbound debtor calls. A debtor calls to settle an account. The agent verifies the balance, negotiates a payment (full or partial), and needs to capture card details immediately — while the debtor is motivated and ready to pay. Any friction — "we'll send you a link" or "call back on our payment line" — risks losing the payment entirely.
Scenario 2: Outbound agent calls. An agent calls a debtor as part of a collections campaign. After navigating the conversation — often sensitive, sometimes confrontational — the debtor agrees to pay. The agent needs to capture payment in that moment. Transferring to an IVR or ending the call to send a link breaks the momentum and drastically reduces conversion.
Scenario 3: Automated payment plans. A debtor agrees to a structured payment plan — £200/month for 12 months. The first payment is captured live. Subsequent payments need to be collected automatically, on schedule, without the debtor calling back each month.
In all three scenarios, the traditional approach — agent verbally collects card details — puts the agency in full PCI scope. Call recordings contain card data. Agent workstations are in scope. The entire telephony environment needs to meet PCI DSS requirements.
For an industry already operating on thin margins with high staff turnover and intense regulatory scrutiny, that compliance burden is unsustainable.
Why Debt Collection Is Different
Debt collection has requirements that generic contact centre payment solutions don't address:
Multi-PSP Is Mandatory
Agencies collect on behalf of creditors. Creditor A mandates Worldpay. Creditor B uses Stripe. Creditor C has a Barclays merchant account. Creditor D's contract specifies the exact processor their payments must route through.
This isn't optional. Creditors dictate the PSP. The agency must comply. A payment solution that only connects to one or two gateways can serve one client — but not a portfolio.
This is the same multi-PSP mandate problem that platforms face, but amplified: a single debt collection agency may serve dozens of creditors, each with different payment processing requirements.
Compliance Is Under a Microscope
Debt collection is one of the most heavily regulated sectors. FCA oversight in the UK, CFPB in the US, and sector-specific codes of practice all impose strict requirements on how debtor data is handled.
PCI DSS v4.0.1 added further pressure:
Shared responsibility — creditors can't fully transfer PCI liability by outsourcing collections. They must monitor and verify their agencies' compliance posture.
Enhanced third-party monitoring — agencies must demonstrate PCI compliance to every creditor they serve.
Targeted risk analysis — every payment handling procedure requires documented risk assessment.
An agency using pause-and-resume or verbal card capture faces increasing pushback from creditors whose own compliance teams are asking pointed questions.
Staff Turnover Amplifies Risk
Debt collection agencies have some of the highest staff turnover rates in the contact centre industry. High-pressure work, emotional conversations, and shift-based schedules drive churn.
Every agent who hears a card number is a potential fraud vector. An agent who leaves after three months may have processed hundreds of payments. If they've heard card details on every one, the agency's exposure to insider fraud is significant.
The secure approach: agents never hear card data. Period.
Payment Plans Require Tokenisation
A one-off payment capture is straightforward. But debt collection lives on payment plans — recurring payments over weeks, months, or years.
This requires:
Tokenisation of the card at first capture
Secure storage of the token linked to the debtor's account
Scheduled execution of subsequent payments via the creditor's PSP
Automatic retry logic for failed payments
Notification to the agency (and debtor) of payment status
A DTMF solution that captures a one-off payment but can't tokenise and schedule recurring payments only solves half the problem.
The Architecture That Works
For Inbound and Outbound Calls
When a debtor agrees to pay during a live call:
The agent triggers payment capture from their interface — the system identifies the creditor and their configured PSP
A DTMF capture session initiates within a PCI DSS Level 1 certified payment layer
The debtor enters their card details via keypad — tones are masked from the agent and stripped from the call recording
The payment layer processes the transaction through the creditor's PSP
The agent sees: "Payment of £350.00 approved — Ref TXN-8294 — Card ending 5531"
The call continues — the agent confirms the payment verbally and discusses next steps
No card data enters the agency's environment. The recording is clean. The agent never heard the card number.
If the debtor can't use their keypad — older handset, VoIP call, or simply prefers not to — the agent sends an SMS payment link with one click. The debtor completes payment on their device while the conversation continues. The link carries the creditor's branding and supports cards, digital wallets, and bank transfers.
For Payment Plans
When a debtor agrees to a payment plan:
First payment is captured live via DTMF or payment link (as above)
The card is tokenised within the payment layer — no card data stored by the agency
Subsequent payments are scheduled against the token, routed through the creditor's PSP
Each payment executes automatically on the agreed date
Failed payments trigger retry logic and notification to the agency
The debtor receives payment confirmation for each instalment
The agency manages the plan — adjusting amounts, pausing, or cancelling — through a dashboard. Card data lives in the payment layer's PCI-certified vault. The agency's systems hold only tokens, references, and payment status.
For AI-Driven Collections
AI voice agents are entering debt collection — handling outbound calls at scale, navigating sensitive conversations, and identifying payment opportunities. When a debtor agrees to pay during an AI-managed call, the same architecture applies:
AI agent identifies payment intent
API call triggers DTMF capture session
Debtor enters card details via keypad
Payment confirmation returns to the AI agent via webhook
AI agent confirms payment and continues the conversation
No human agent involved. Fully automated. The same multi-PSP routing, tokenisation, and payment plan capabilities apply. For the full AI agent architecture, see How AI Voice Agents Take PCI-Compliant Payments.
Cost Comparison
Verbal Card Capture | DTMF Overlay (PCI Pal/Eckoh) | Multi-PSP Payment Layer (Shuttle)
PCI scope | Full SAQ-D | SAQ-A | SAQ-A
Annual PCI cost | $200K–$500K+ | Included in vendor fee | Included
Multi-PSP | Manual (log into each portal) | 1–3 gateways | 40+ gateways
Payment plans | Manual recurring | Limited | Automated with tokenisation
Per 100-seat agency | PCI cost + fraud risk | ~$2,500–$4,000/mo (per-seat) | ~$1,000–$3,000/mo (per-transaction)
Channels | Voice only (non-compliant) | Voice only | Voice + links + chat
AI agent support | No | Limited | Yes
White-label | N/A | Limited | Full
What Creditors Are Asking
Creditors are tightening their oversight of agency payment practices. Expect these questions in your next creditor review:
"Are your agents exposed to cardholder data during collections calls?"
"What PCI SAQ level does your payment process qualify for?"
"Can you produce an Attestation of Compliance (AOC) for your payment handling?"
"How do you ensure our payments route through our mandated PSP?"
"What fraud controls exist around agent access to payment data?"
Agencies using a PCI-certified payment layer with DTMF isolation can answer all five cleanly. Agencies using pause-and-resume or verbal capture will struggle — and increasingly, creditors are making compliant payment handling a condition of their agency agreements.
FAQ
Can we process payments for multiple creditors through one system? Yes. A multi-PSP payment layer lets you configure each creditor's PSP and merchant account. When an agent (or AI agent) triggers a payment, the system routes it through the correct creditor's processor automatically.
How do payment plans work with different creditor PSPs? The first payment is captured and tokenised. Subsequent payments execute against the token through the creditor's configured PSP. Each creditor's payment plans route through their own gateway — the agency manages plans through a unified dashboard regardless of the underlying PSP.
What about partial payments and settlements? The system handles arbitrary amounts. If a debtor negotiates a partial payment or a settlement figure, the agent enters the agreed amount and processes it. Payment plan amounts can be adjusted mid-plan.
Does this work with our existing dialler/CRM? The payment layer integrates via API with your existing infrastructure — Avaya, Genesys, Five9, Twilio, or any SIP-based telephony. CRM integration is typically via webhooks that update debtor records with payment status.
What about Continuous Payment Authority (CPA)? CPA (recurring card payments where the agency initiates the charge) requires tokenisation and explicit debtor consent. The payment layer handles tokenisation at first capture and stores consent alongside the token. Subsequent CPA charges are initiated by the agency through the API, processed through the creditor's PSP.
How does this compare to the existing AI voice debt collection guide? Our guide on AI voice agent PCI payments focuses on the AI agent and CCaaS platform angle — how AI voice providers build payment capture into their agents. This guide focuses on the agency operator: you're running a collections business, human or AI agents, and need compliant multi-creditor payment infrastructure.
Related Reading
PCI-Compliant Payments for Contact Centres — the complete guide to secure contact centre payment approaches
Payment Collection for BPOs — the multi-client, multi-PSP problem for outsourcers
PCI Pal Alternatives for BPOs and Contact Centres — comparison of DTMF solutions vs multi-PSP payment layers
Why Most Call Answering Services Can't Take Payments — the payment gap in the call answering market
How AI Voice Agents Take PCI-Compliant Payments — the technical AI agent payment architecture
Enterprise PSP Mandates — why creditors mandate their own PSP
Collect every payment. Comply with every creditor. Zero PCI scope.
Shuttle gives debt collection agencies multi-PSP payment collection through a single integration. DTMF voice capture, SMS payment links, automated payment plans — with white-label branding and PCI DSS Level 1 compliance included.
Book a Demo | See Voice Checkout