Vapi is a developer platform for building voice AI agents. It combines speech recognition, an LLM, and text-to-speech behind a single API, so teams can ship phone agents without wiring up the voice stack themselves. You bring your own model, voice, and transcription provider; Vapi orchestrates the call.
But when a Vapi agent needs to take a payment, card data cannot be allowed to enter the AI pipeline.
This guide covers how to take PCI-compliant payments on Vapi AI voice agents using Shuttle, so your agents can collect card payments mid-call without putting your application or Vapi's platform in PCI scope.
Vapi does document a PCI approach: using squads to disable recording, logging, and transcription while the customer enters their card on the keypad. But that guidance stops at data suppression. Vapi does not process the payment and does not connect to a payment gateway, and turning off recordings is not the same as isolating card data from the agent pipeline and actually charging the card. You still need a payment layer that captures the card in isolation, keeps it out of the agent flow, and processes it. If card digits enter the audio stream unprotected, your entire stack falls into PCI scope.
Shuttle provides the payment layer that closes that gap. Your Vapi agent triggers the payment, Shuttle captures the card in an isolated PCI-certified environment, and the result comes back to your agent, all within the same conversation.
The Payment Challenge for Vapi
Vapi is API-first and developer-controlled, which means the team building the agent owns the payment decision too. That decision runs into the same compliance wall every voice AI builder hits.
**Card data cannot enter the AI pipeline.** If a customer enters card digits via their keypad during a Vapi call, those DTMF tones are cardholder data under PCI DSS. If they flow through the audio path, your transcription provider, your LLM, your call logs, and your backend are all in PCI scope.
Disabling recordings is not the same as isolating card data. Vapi's documented PCI pattern uses squads and an artifact plan to switch off recording, logging, and transcription during the card-collection step. That reduces what gets stored, but it does not process the payment, does not connect to a gateway, and does not guarantee the digits stay out of the agent flow. You still need a payment layer to capture and charge the card.
Building card capture yourself is not realistic. PCI DSS Level 1 certification costs $500,000+ upfront and $200,000+ per year, plus a Qualified Security Assessor, quarterly scans, and annual penetration testing. For a team building on Vapi to move fast, that is the opposite of fast.
Bolting on a separate payment line breaks the experience. Telling the caller to hang up and dial a payment number, or transferring them to an IVR, undoes the seamless agent experience and leaks conversions at exactly the wrong moment.
The answer is a payment layer that drops into the Vapi call flow, captures the card in an isolated environment, and returns a clean result to your agent.
How Shuttle Integrates with Vapi
Shuttle is API-driven, which fits Vapi's developer-first model. Your application orchestrates the payment through Shuttle's API while Shuttle handles every piece of card data inside its PCI DSS Level 1 certified environment.
Your Vapi agent runs the conversation: intent recognition, customer interaction, and amount confirmation are handled by your chosen LLM and Vapi's voice infrastructure.
Your backend triggers Shuttle: when payment is due, your server (often from a Vapi tool call or webhook) calls Shuttle's API to create a payment session with the amount, currency, and gateway configuration.
Shuttle captures card data: Shuttle takes control of the DTMF capture channel. Card digits entered on the keypad are captured by Shuttle and stripped from the audio that returns to Vapi and your application.
Payment is processed: Shuttle tokenises the card and routes it to your configured gateway. Authorisation happens entirely inside Shuttle's certified environment.
Result returned to your agent: Shuttle sends a webhook with the outcome, a transaction reference, and a masked card number. Your Vapi agent confirms the payment in the conversation.
Because Vapi exposes webhooks and tool calls, the trigger fits naturally into the agent definition you already have: detect intent, call the tool, let Shuttle handle the card, resume the conversation on the webhook result.
How It Works: Step by Step
Step 1: Payment intent recognised. Your Vapi agent detects that the customer wants to pay, either explicitly or because your application logic determines payment is due.
Step 2: Amount confirmed. The agent says the total and tells the customer they'll enter their card on the keypad.
Step 3: Payment session created. Your backend calls Shuttle's API with the amount, currency, and gateway config. Shuttle returns a session token.
Step 4: Audio stream splits. Shuttle takes control of the DTMF capture channel. The main audio path feeding Vapi's transcription and your application is isolated from the card capture path, and tones are masked with flat replacement tones.
Step 5: Card details entered. Shuttle plays a secure prompt and the customer enters card number, expiry, and CVV via the keypad.
Step 6: Tones captured in isolation. Shuttle captures the DTMF in its PCI-compliant environment. The tones never reach Vapi or your application, and recordings contain flat tones during this segment.
Step 7: Payment processed. Shuttle tokenises the card and routes it to your gateway for authorisation.
Step 8: Webhook received. Shuttle sends the result to your application: outcome, transaction reference, masked card number.
Step 9: Agent confirms. Your Vapi agent confirms the payment and continues the conversation.
The payment segment takes 20-30 seconds. The customer stays on the line throughout, with no transfers and no separate systems.
Multi-PSP Support
Whether you're a startup on Stripe, building for an enterprise that mandates Adyen, or running a multi-tenant product where every customer brings their own gateway, Shuttle connects to 30+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and Mollie.
Per-tenant gateway configuration: each of your customers can use their own PSP
Single integration: integrate with Shuttle once; gateway routing is configuration, not code
Multi-PSP routing: route by currency, region, card type, or custom rules
Failover: automatic fallback to a secondary gateway if the primary is unavailable
For developers shipping voice agents to multiple clients on Vapi, this means offering payment capability to everyone without maintaining a separate gateway integration per customer.
PCI Compliance
Shuttle is a PCI DSS Level 1 certified Service Provider, the highest level of payment security certification.
What stays in your application / Vapi: conversation logic, amount calculation, session initiation, and handling of non-sensitive webhook results. None of this is cardholder data, so your application and Vapi's platform stay out of PCI scope.
What stays in Shuttle: DTMF capture and decoding, card tokenisation, gateway communication, and secure prompt playback, all inside the certified environment.
Call recordings: DTMF tones are stripped before they reach Vapi or your application. Stored recordings contain flat masking tones during the payment segment, so there is no cardholder data in your recordings, logs, or database.
With Shuttle handling all card data, your application qualifies for SAQ-A, the simplest PCI compliance tier, rather than the SAQ-D obligations that taking card data yourself would trigger.
Beyond Voice: Payment Links
DTMF is the primary in-call method, but Shuttle also supports payment links. Mid-call, your Vapi agent can say it has sent a secure link by SMS; the customer opens a hosted checkout page, pays, and the result returns to your agent in real time.
Payment links suit higher-value transactions, mobile-first callers, customers who find keypad entry difficult, and post-call payments. Both methods use the same Shuttle infrastructure, and your application logic chooses which to use.
Use Cases
Outbound Sales
Vapi agents that dial prospects and close need to capture payment the moment the customer agrees. Shuttle takes the card in-call, so there is no callback and no lost sale.
AI Receptionists and Appointment Booking
Receptionist agents for clinics, salons, and service businesses can take a deposit or full payment to secure a booking before the call ends, cutting no-shows.
Customer Support and Bill-Pay
Support agents fielding account queries can take a bill payment in the same conversation rather than transferring to a separate payment line.
Scheduling and Renewals
Agents that book recurring services or handle renewals can collect payment at the point of confirmation, with the option to tokenise for future charges.
Developer Integration
API-driven. Create payment sessions, configure gateways, and receive webhooks via REST API. SDKs are available but not required.
No telephony changes. Shuttle integrates at the audio/DTMF layer, so you add payment capability without changing how your Vapi agent handles calls.
Tool-call and webhook friendly. Trigger Shuttle from a Vapi tool call and resume the conversation when the result webhook arrives.
Test mode available. Run the full payment flow with test card numbers before going live.
**$0.20 per transaction.** No setup fees, no monthly minimums, no per-seat licensing.
FAQ
**Can I build PCI-compliant payment capture myself on Vapi?** Technically, but PCI DSS Level 1 certification runs $500,000+ upfront and $200,000+/year. Shuttle provides the same capability at $0.20 per transaction.
**What payment gateways does Shuttle support?** 30+ gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, and Square. You configure your gateway in Shuttle and it handles routing.
Does this work with Vapi tool calls? Yes. The payment is typically triggered from a tool call or your backend, and the conversation resumes on Shuttle's result webhook.
Can I use this for outbound calls? Yes. The same integration works for outbound agents that need to collect payment during a call.
Does the customer hear the agent during card entry? During DTMF capture, Shuttle plays secure prompts and the agent's voice is paused. Once entry is complete, the agent resumes.
Related Reading
Retell AI Payments: PCI-compliant payment capture for Retell AI voice agents
How AI Voice Agents Take PCI-Compliant Payments: the technical architecture for secure payment capture during AI voice calls
What Are Voice Payments? The Complete Guide: IVR, agent-assisted, and AI voice payment models compared
The Payment Layer for AI Agents: why AI agents need a dedicated payment layer
Bland AI Payments: secure payment capture for Bland AI phone agents
Phonely Payments: PCI-compliant payment capture for Phonely AI phone agents
Add Payments to Your Vapi AI Agents
Shuttle is Twilio's official payment partner and a PCI DSS Level 1 certified Service Provider. If you're building voice agents on Vapi and need PCI-compliant payment capture:
See Voice Checkout | Book a discovery call