The Problem: Phone Payments Are a PCI Compliance Minefield
Your business takes calls every day. Customers ring to book jobs, ask for quotes, confirm appointments, and — crucially — to pay. Whether you run a team of plumbers, manage a property maintenance company, or operate a cleaning service, a significant portion of your revenue starts with a phone call.
The problem is what happens when the customer says, "Can I pay now over the phone?" Your receptionist grabs a pen, asks for the card number, writes it on a Post-it note, types it into a payment form, then — hopefully — throws the Post-it away. Or worse, they keep a notebook of card details for processing later. Maybe they don't write it down at all but enter it directly into a virtual terminal while the customer reads it out, with other staff in earshot.
Every one of these scenarios is a PCI compliance problem. The Payment Card Industry Data Security Standard (PCI DSS) exists to protect cardholder data, and it applies to every business that handles card payments — including phone payments. If card details are written down, overheard, stored, or recorded (and many phone systems record calls by default), your business is non-compliant. The consequences range from fines to losing the ability to accept card payments entirely.
Most small and medium businesses don't know this. They've been taking card details over the phone for years without incident and assume they're fine. But "nobody has complained yet" isn't a compliance strategy. There are better, more secure, and often simpler ways to collect card payments during phone calls.
Your Options for Taking Card Payments Over the Phone
There are several approaches to phone-based card payments. They vary significantly in security, compliance, and customer experience. Here's an honest comparison.
The Old Way: "Read Me Your Card Number"
The most common approach in small businesses: the customer reads their 16-digit card number, expiry date, and CVV aloud while your staff enters it into a payment form or terminal.
This works in the sense that the payment gets processed. But it's the weakest option from every other perspective. Your staff handles sensitive card data directly. If your phone system records calls — many VoIP systems do by default — you're storing card data in audio files, which is a serious PCI violation. Other people in your office may overhear the details. There's a natural temptation to write down the numbers, especially if the payment form is slow or if the team processes payments in batches.
For a solo operator taking the occasional phone payment, the risk might feel manageable. For a business with a team of office staff handling multiple calls per day, the exposure adds up quickly. One data breach, one complaint to your acquiring bank, and you have a real problem.
Virtual Terminals
A virtual terminal is a web-based payment form that your staff accesses through a browser. The customer reads their card details over the phone, and your team member types them into the virtual terminal. The payment is processed online.
This is more structured than scribbling on a Post-it note, and it avoids the need for a physical card machine. Most payment providers — Stripe, Square, PayPal, Worldpay — offer virtual terminals. The interface is typically simple: enter the card number, expiry, CVV, amount, and submit.
The improvement over the "read your card number" approach is marginal from a PCI perspective, however. Your staff still hears and handles the full card details. The card number is still spoken aloud in your office. The main benefit is that the details go directly into a secure payment form rather than being written down first — but the human handling of the data is the same.
Virtual terminal fees vary but typically sit around 1.5% to 2.5% + a fixed fee per transaction. Some providers charge a monthly fee on top. For businesses processing a moderate volume of phone payments, these costs are manageable.
Sending a Payment Link During the Call
An increasingly popular approach: instead of taking card details over the phone, your team sends the customer a payment link via SMS while they're still on the call. The customer opens the link on their phone, enters their own card details on the secure checkout page, and completes the payment — all while still talking to your staff member.
This approach has significant advantages. Your team never handles card data at all, so PCI compliance is dramatically simplified. The customer enters their own details on a secure, hosted page. There's nothing to write down, nothing to overhear, nothing to record.
The customer experience is straightforward: "I'm going to send you a payment link now by text. If you tap it, you can enter your card details securely and we'll get confirmation straight away." Most customers are comfortable with this — they're used to receiving payment links from other businesses.
The limitation is that it requires the customer to have a smartphone to hand and to be willing to switch between the phone call and the link. The vast majority of customers are fine with this. But for the small number who aren't comfortable with technology or who are calling from a landline, you need another option.
Voice Checkout (DTMF Payments)
Voice checkout — sometimes called DTMF payment or keypad payment — is the most secure way to take card payments during a phone call. It solves the PCI compliance problem completely while keeping the entire transaction within the phone call itself.
Here's how it works: when the customer is ready to pay, your staff member initiates the payment process. The call transitions to a secure payment session (the customer stays on the line — there's no need to hang up and call back). An automated voice prompt asks the customer to enter their 16-digit card number using their phone keypad, followed by the expiry date and CVV.
The critical detail: the DTMF tones (the beeps you hear when pressing phone keys) are masked so your team member cannot hear or decode which numbers are being entered. The card data goes directly to the payment processor via an encrypted channel. Your staff sees only a confirmation that the payment was successful or failed — never the card details themselves.
From the customer's perspective, the experience is smooth. They're already on the phone. They don't need to switch to a browser or find a text message. They simply tap numbers on their keypad — something they do regularly when navigating automated phone systems. The payment completes in under a minute, and both parties know immediately whether it was successful.
Voice checkout is fully PCI DSS compliant because card data never enters your environment. It doesn't pass through your phone system, it's not audible to your staff, and it's never stored on your infrastructure. For businesses that process a significant volume of phone payments, this is the gold standard.
Comparison Summary
To make the choice clear:
- "Read your card number" — Works but is the least secure and least compliant option. Your staff handles all card data directly.
- Virtual terminals — More structured but still involves your staff hearing and typing card details. Moderate PCI burden.
- Payment link during call — Excellent for most situations. No card data handled by your staff. Requires customer to have a smartphone.
- Voice checkout — The most secure option. Card data never reaches your team. Works for all customers on any phone. Fully PCI compliant.
For most businesses, a combination of payment links and voice checkout covers every phone payment scenario. Send a link when the customer has a smartphone. Use voice checkout when they don't, when they prefer to stay within the call, or when you want the fastest possible phone-based payment experience.
How Voice Checkout Works — In Detail
Because voice checkout is the most important innovation in phone payments for service businesses, it deserves a deeper explanation. Understanding the mechanics will help you see why it's both more secure and often faster than traditional methods.
Voice checkout integrates with your existing phone system — whether that's a traditional phone line, a VoIP system, or a cloud-based communication platform like Twilio, Vonage, or RingCentral. The integration works at the telephony layer, meaning it doesn't require your staff to open a separate application or website.
Here's a detailed walkthrough of a typical transaction:
- Customer calls to book and pay. A homeowner rings your office to book a team of heating engineers for a boiler service. Your receptionist confirms availability, schedules the appointment, and the customer wants to pay the £120 fee upfront.
- Staff initiates payment. Your receptionist tells the customer: "I'll take payment now. You'll hear a short prompt asking you to enter your card details on your keypad — your card information stays completely private." They initiate the voice checkout session from their screen.
- Secure session begins. The call transitions straight to the payment session. The customer hears a clear, professional voice prompt: "Please enter your 16-digit card number using your keypad."
- Customer enters card details. The customer types their card number, expiry date, and CVV on their phone keypad. Each keypress is masked — your receptionist hears a flat tone (or silence) instead of the distinct DTMF tones that would reveal the numbers. The card data is encrypted and sent directly to the payment processor.
- Payment is processed. The payment processor verifies the card, checks the funds, and processes the transaction. This typically takes 2 to 5 seconds.
- Confirmation for both parties. The customer hears a confirmation message ("Your payment of £120 has been processed successfully"). Your receptionist sees the confirmation on their screen. The call returns to the normal conversation.
- Receipt and records. A receipt is sent to the customer (by email or SMS), and the transaction appears in your payment dashboard with all the relevant details — amount, customer, date, and reference.
The entire payment takes 30 to 60 seconds. Your receptionist has handled the booking and payment in a single phone call without ever seeing, hearing, or touching the customer's card data. There's nothing to write down, no data to secure, and no PCI compliance worry.
For businesses that handle dozens of phone bookings per day — property management firms, healthcare practices, trade businesses with busy offices — voice checkout turns phone payments from a compliance headache into a natural part of the booking process.
Shuttle's voice checkout is built specifically for this use case. It integrates with major telephony platforms including Twilio, works with existing phone numbers and call flows, and is fully PCI DSS Level 1 compliant. The setup is handled for you — there's no development work required on your end.
What to Look For in a Phone Payment Solution
If your business takes payments over the phone regularly, here's how to evaluate your options and choose the right approach.
PCI compliance approach. This is the single most important factor. Ask explicitly: does this solution require my staff to handle card data? If the answer is yes — whether through a virtual terminal or verbal card details — you're taking on PCI compliance obligations that include staff training, secure environments, call recording management, and regular assessments. Solutions that keep card data away from your staff (voice checkout, payment links) dramatically reduce this burden.
Customer experience. How do your customers experience the payment? The best solutions feel natural and quick. Voice checkout keeps everything in the phone call. Payment links require a brief shift to a smartphone browser. Virtual terminals require customers to read out 20+ digits aloud, which many find uncomfortable — especially for large amounts. Consider what feels right for your typical customer base.
Speed of payment. In a busy office handling dozens of calls, seconds matter. Voice checkout completes a payment in under a minute without your staff doing anything beyond initiating it. Payment links depend on how quickly the customer opens the link and enters their details — usually 1 to 2 minutes. Virtual terminals depend on the speed of your staff typing and the customer reading clearly. Over the course of a day, these differences compound.
Integration with your phone system. If you use a VoIP or cloud telephony platform, check that the voice checkout solution integrates natively. Shuttle's voice checkout works with Twilio and other major platforms. If you use traditional phone lines, check whether the provider offers a solution that works with your setup — some voice checkout providers require cloud-based phone systems.
Team visibility. When your team processes phone payments, your office manager needs to see what's been collected, by whom, and for which customer. Real-time dashboards and notifications ensure that phone payments are tracked just as accurately as in-person or online payments. Look for providers that give you a centralised view of all transactions regardless of how they were collected.
Flexibility to combine methods. The reality is that no single method works for every phone call. Some customers will happily tap a payment link. Others prefer to stay on the phone and use their keypad. A few may still want to read their card details aloud. The best approach is a provider that offers multiple phone payment options so your team can adapt to each customer's preference. Shuttle offers both voice checkout and payment links, giving your team the flexibility to handle any phone payment scenario securely.