Vapi is a developer platform for building voice AI agents. It combines speech recognition, an LLM, and text-to-speech behind a single API, so teams can ship phone agents without wiring up the voice stack themselves. You bring your own model, voice, and transcription provider; Vapi orchestrates the call.
But when a Vapi agent needs to take a payment, card data cannot be allowed to enter the AI pipeline.
This guide covers how to take PCI-compliant payments on Vapi AI voice agents using Shuttle, so your agents can collect card payments mid-call without putting your application or Vapi's platform in PCI scope.
Vapi does document a PCI approach: using squads to disable recording, logging, and transcription while the customer enters their card on the keypad. But that guidance stops at data suppression. Vapi does not process the payment and does not connect to a payment gateway, and turning off recordings is not the same as isolating card data from the agent pipeline and actually charging the card. You still need a payment layer that captures the card in isolation, keeps it out of the agent flow, and processes it. If card digits enter the audio stream unprotected, your entire stack falls into PCI scope.
Shuttle provides the payment layer that closes that gap. Shuttle has no native integration with Vapi. Instead, your application code invokes Shuttle's Twilio-based payment setup (Shuttle is Twilio's preferred payments partner). At the point of payment, the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay. The card digits are captured inside Shuttle's certified environment and never reach Vapi, the LLM, or the agent. To use this path, you must be a Twilio customer, and your team builds the orchestration that triggers the handoff.
The Payment Challenge for Vapi
Vapi is API-first and developer-controlled, which means the team building the agent owns the payment decision too. That decision runs into the same compliance wall every voice AI builder hits.
Card data cannot enter the AI pipeline. If a customer enters card digits via their keypad during a Vapi call, those DTMF tones are cardholder data under PCI DSS. If they flow through the audio path, your transcription provider, your LLM, your call logs, and your backend are all in PCI scope.
Disabling recordings is not the same as isolating card data. Vapi's documented PCI pattern uses squads and an artifact plan to switch off recording, logging, and transcription during the card-collection step. That reduces what gets stored, but it does not process the payment, does not connect to a gateway, and does not guarantee the digits stay out of the agent flow. You still need a payment layer to capture and charge the card.
Building card capture yourself is not realistic. PCI DSS Level 1 certification costs $500,000+ upfront and $200,000+ per year, plus a Qualified Security Assessor, quarterly scans, and annual penetration testing. For a team building on Vapi to move fast, that is the opposite of fast.
Bolting on a separate payment line breaks the experience. Telling the caller to hang up and dial a payment number, or transferring them to an IVR, undoes the seamless agent experience and leaks conversions at exactly the wrong moment.
The answer is a payment layer that drops into the Vapi call flow, captures the card in an isolated environment, and returns a clean result to your agent.
How Shuttle Works with Vapi Today
Shuttle has no native integration with Vapi. The handoff is API-driven, which fits Vapi's developer-first model: your application code triggers the Shuttle payment handoff, and the card is captured by Shuttle inside its PCI DSS Level 1 certified environment, never by Vapi. To use the secure voice capture, you must be a Twilio customer, because today the capture runs over Twilio Pay, where Shuttle is Twilio's preferred payments partner.
Shuttle provides ready-made interfaces for payment links plus the capture/IVR and the APIs. Your team builds the agent-side wiring that triggers the handoff. You can build and validate the flow against Shuttle's sandbox gateway and demo app before going live. A deeper, native Vapi integration is possible only as a paid project.
Your Vapi agent runs the conversation: intent recognition, customer interaction, and amount confirmation are handled by your chosen LLM and Vapi's voice infrastructure.
Your backend triggers Shuttle: when payment is due, your server (often from a Vapi tool call or webhook) calls Shuttle's API to create a payment session with the amount, currency, and gateway configuration.
The call is handed to a secure PCI capture: at the point of payment, the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay. The customer enters their card on the keypad, and Shuttle captures the digits inside its certified environment, so they never reach Vapi, the LLM, or your application.
Payment is processed: Shuttle tokenises the card and routes it to your configured gateway. Authorisation happens entirely inside Shuttle's certified environment.
Result returned to your agent: Shuttle sends a webhook with the outcome, a transaction reference, and a masked card number. Your application records the result, and your Vapi agent confirms the payment.
Because Vapi exposes webhooks and tool calls, the trigger fits naturally into the agent definition you already have: detect intent, call the tool, let Shuttle handle the card on the secure line, and pick up the conversation on the webhook result.
One honest caveat to set expectations on up front: the secure capture at the point of payment is live now via Twilio Pay. Shuttle being present for the entire call, or cleanly returning the caller to the same Vapi agent afterwards, is not yet turnkey. A carrier-agnostic version, which removes the Twilio requirement, is landing later in 2026.
How It Works: Step by Step
Step 1: Payment intent recognised. Your Vapi agent detects that the customer wants to pay, either explicitly or because your application logic determines payment is due.
Step 2: Amount confirmed. The agent says the total and tells the customer they'll be connected to a secure line to enter their card.
Step 3: Payment session created. Your backend calls Shuttle's API with the amount, currency, and gateway config. Shuttle returns a session token.
Step 4: Secure capture triggered. At the point of payment, the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay, with Shuttle as the certified connector. The card capture happens inside that secure environment, not inside Vapi.
Step 5: Card details entered. Shuttle plays a secure prompt and the customer enters card number, expiry, and CVV on the keypad.
Step 6: Digits captured in isolation. Shuttle captures the card inside its PCI DSS Level 1 certified environment. The digits never reach Vapi, the LLM, or your application.
Step 7: Payment processed. Shuttle tokenises the card and routes it to your gateway for authorisation.
Step 8: Webhook received. Shuttle sends the result to your application: outcome, transaction reference, masked card number.
Step 9: Agent confirms. Your application records the result, and your Vapi agent confirms the payment.
The customer stays on the line throughout. Note that cleanly returning the caller to the same Vapi agent after payment is not yet turnkey today; talk to us about your flow and we will give you the honest current state.
Multi-PSP Support
Whether you're a startup on Stripe, building for an enterprise that mandates Adyen, or running a multi-tenant product where every customer brings their own gateway, Shuttle connects to 30+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and Mollie.
Per-tenant gateway configuration: each of your customers can use their own PSP
Single integration: integrate with Shuttle once; switching gateways is configuration, not re-integration
Multi-PSP routing: route by currency, region, card type, or custom rules
Failover: automatic fallback to a secondary gateway if the primary is unavailable
One gateway caveat worth knowing: a few gateways (Braintree, for example) do not work for voice capture, because they will not allow raw card data to be passed, but they do work for payment links. For developers shipping voice agents to multiple clients on Vapi, this means offering payment capability to everyone without maintaining a separate gateway integration per customer.
PCI Compliance
Shuttle is a PCI DSS Level 1 certified Service Provider, the highest level of payment security certification.
What stays in your application / Vapi: conversation logic, amount calculation, session initiation, and handling of non-sensitive webhook results. None of this is cardholder data, so your application and Vapi's platform stay out of PCI scope.
What stays in Shuttle: card capture during the secure Twilio Pay handoff, card tokenisation, gateway communication, and secure prompt playback, all inside the certified environment.
Call recordings: because the card is entered during the secure PCI capture, the card details are never part of the audio Vapi processes or records. Any recordings you store contain no cardholder data, so there are no card digits in your recordings, logs, or database.
With Shuttle handling all card data, your application qualifies for SAQ-A, the simplest PCI compliance tier, rather than the SAQ-D obligations that taking card data yourself would trigger.
Beyond Voice: Payment Links
The secure in-call capture is one method, but Shuttle also supports payment links, and they are the turnkey path. Mid-call, your Vapi agent can say it has sent a secure link by SMS or email; the customer opens a hosted checkout page, pays, and the result returns to your application in real time.
Payment links suit higher-value transactions, mobile-first callers, customers who find keypad entry difficult, and post-call payments. They also work even with gateways that do not support voice capture, such as Braintree. Both methods use the same Shuttle infrastructure, and your application logic chooses which to use.
Use Cases
Outbound Sales
Vapi agents that dial prospects and close need to capture payment the moment the customer agrees. Shuttle takes the card in-call, so there is no callback and no lost sale.
AI Receptionists and Appointment Booking
Receptionist agents for clinics, salons, and service businesses can take a deposit or full payment to secure a booking before the call ends, cutting no-shows.
Customer Support and Bill-Pay
Support agents fielding account queries can take a bill payment in the same conversation rather than transferring to a separate payment line.
Scheduling and Renewals
Agents that book recurring services or handle renewals can collect payment at the point of confirmation, with the option to tokenise for future charges.
Developer Integration
API-driven. Create payment sessions, configure gateways, and receive webhooks via REST API. SDKs are available but not required. Your team builds the agent-side orchestration; Shuttle provides the capture, IVR, links, and APIs.
Twilio required today. The secure voice capture runs over Twilio Pay, so you must be a Twilio customer. A carrier-agnostic version, which removes the Twilio requirement, is landing later in 2026.
Tool-call and webhook friendly. Trigger Shuttle from a Vapi tool call and pick the conversation back up when the result webhook arrives.
Build a POC against the sandbox. Validate the full payment flow against Shuttle's sandbox gateway and demo app before going live. A native Vapi integration is possible only as a paid project.
[$0.20 per successful transaction](/pricing/) for voice. No setup fees, no monthly minimums, no per-seat licensing. Payment links are currently free, with a new model coming.
For technical detail, see the Shuttle docs: Twilio setup, payment links, and security and PCI.
FAQ
Does Shuttle have a native Vapi integration? No. Shuttle has no native integration with Vapi. The handoff is API-driven: your application code triggers Shuttle's Twilio-based payment setup, and at the point of payment the call is handed to a secure PCI DSS Level 1 capture via Twilio Pay. A native Vapi integration is possible only as a paid project.
Does this require Twilio? Yes, for the secure in-call capture. The capture runs over Twilio Pay today, where Shuttle is Twilio's preferred payments partner, so you must be a Twilio customer. A carrier-agnostic version that removes the Twilio requirement is landing later in 2026.
Can I build PCI-compliant payment capture myself on Vapi? Technically, but PCI DSS Level 1 certification runs $500,000+ upfront and $200,000+/year. Shuttle provides the same capability at $0.20 per successful transaction.
What payment gateways does Shuttle support? 30+ gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, and Square. Switching gateways is configuration, not re-integration. A few gateways (Braintree, for example) do not work for voice capture but do work for payment links.
Does this work with Vapi tool calls? Yes. The payment is typically triggered from a tool call or your backend, and your application picks the conversation back up on Shuttle's result webhook.
Can I use this for outbound calls? Yes. The same secure handoff works for outbound agents that need to collect payment during a call.
Does the customer hear the agent during card entry? During the secure capture, Shuttle plays the prompts and the agent's voice is paused. Once payment is complete, your application resumes the conversation. Note that cleanly returning the caller to the same agent is not yet turnkey today.
Related Reading
Retell AI Payments: PCI-compliant payment capture for Retell AI voice agents
How AI Voice Agents Take PCI-Compliant Payments: the technical architecture for secure payment capture during AI voice calls
What Are Voice Payments? The Complete Guide: IVR, agent-assisted, and AI voice payment models compared
The Payment Layer for AI Agents: why AI agents need a dedicated payment layer
Bland AI Payments: secure payment capture for Bland AI phone agents
Add Payments to Your Vapi AI Agents
Shuttle is Twilio's official payment partner and a PCI DSS Level 1 certified Service Provider. If you're building voice agents on Vapi and need PCI-compliant payment capture:
See Voice Checkout | Book a discovery call