Voiceflow is a no-code AI agent builder used by product teams, agencies, and enterprise developers to design and deploy voice and chat agents without writing a full application from scratch. It supports Twilio-backed voice deployments and web chat, and its visual canvas lets teams ship complex conversational flows quickly. Thousands of teams use it to build customer support bots, sales agents, and automated service experiences.
When those agents reach a payment moment, they hit a wall. Voiceflow has no native payment product. Its Stripe connector is a user-configured API block that can generate a Stripe payment link and send it by email or chat, but that is not in-flow card capture. There is no PCI-compliant DTMF capture, no gateway connection, and no card processing inside the agent conversation itself. Voiceflow holds SOC 2, ISO 27001, and HIPAA certifications, but it is not a PCI DSS certified payment environment. Any attempt to collect raw card data through the agent flow creates PCI scope across your entire stack.
This guide is for teams building Voiceflow agents that need to collect card payments as part of the conversation, whether on voice calls or web chat, without putting their platform or their customers' data at risk.
The Payment Challenge for Voiceflow Agents
Voiceflow's payment gap is not a design flaw; it reflects a deliberate choice to stay focused on agent orchestration. But that gap has real consequences for builders who need payment capability.
The Stripe connector sends a link, it does not capture a card. Voiceflow's Stripe API block allows you to call Stripe's API and generate a payment link that is delivered by email or chat message. The customer then completes payment on a Stripe-hosted page, off-platform. That works for some chat use cases, but it breaks the in-call experience entirely on voice, and it introduces a drop-off point that costs conversions.
**Keypad input is not the same as PCI-compliant DTMF capture.** Voiceflow supports a generic keypad input block for collecting numeric input from callers. But collecting card digits through a standard keypad block does not isolate those digits from the agent pipeline. DTMF tones that carry cardholder data must be captured, masked, and processed in a certified PCI DSS environment. A generic keypad input block provides none of that infrastructure, and routing those digits through Voiceflow's transcription or logging layer puts your application directly into PCI scope.
Building the compliance layer yourself is not feasible for most teams. PCI DSS Level 1 certification requires a Qualified Security Assessor, quarterly vulnerability scans, annual penetration testing, and an ongoing programme of controls. The upfront cost alone runs into hundreds of thousands. For a team using Voiceflow to ship agents quickly, that commitment defeats the purpose.
What you need is a payment layer that sits between Voiceflow and your gateway, captures card data in an isolated certified environment, and returns a clean result to your agent so the conversation can continue.
How Shuttle Adds Payment Capture to Voiceflow
Shuttle connects to Voiceflow via your backend, slotting in at the payment moment without requiring changes to how your agent is structured. The flow works in five steps.
The agent runs the conversation. Voiceflow handles intent recognition, dialogue management, and everything up to the moment payment is due. Your agent confirms the amount and tells the customer what happens next.
The agent triggers Shuttle at the payment moment. Your backend receives the signal from Voiceflow (via a webhook, API step, or tool call) and creates a Shuttle payment session with the amount, currency, and gateway configuration. On voice, Shuttle takes over the DTMF capture channel. On chat, Shuttle generates a hosted payment link.
Shuttle captures card data in isolation. For voice calls, Shuttle plays a secure prompt and captures keypad digits using DTMF suppression: masking replacement tones replace actual card tones in the audio path, so neither Voiceflow's infrastructure nor your application ever sees the raw digits. For chat, the customer clicks the hosted link and completes payment on Shuttle's PCI-certified checkout page.
Shuttle processes the payment and routes to your gateway. Card data is tokenised and sent to your configured payment gateway inside Shuttle's certified environment. Your Voiceflow agent, your application, and Voiceflow's platform never touch cardholder data.
Shuttle returns a clean result to your agent. A webhook delivers the outcome, a transaction reference, and a masked card number to your backend. Your Voiceflow agent picks up the result and confirms the payment in the conversation.
The customer stays in the same conversation throughout. On voice, the call does not transfer. On chat, they return to the agent window after completing the hosted checkout. Payment takes 20 to 30 seconds, then the agent continues.
Multi-PSP Support
Most Voiceflow deployments serve clients across different industries and markets, each with their own gateway preferences or contractual requirements. Shuttle connects to 30+ payment gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and Mollie, all through a single integration.
Per-tenant gateway routing: each client account can use their own PSP without you maintaining separate integrations
One integration, many processors: add new gateways by changing configuration, not code
Routing rules: route by currency, card type, region, or business logic to optimise authorisation rates
Automatic failover: if a primary gateway is unavailable, Shuttle routes to a configured secondary without dropping the transaction
For Voiceflow agencies and platform teams, this means you can offer payment capability to every client on your platform, regardless of which gateway they are contracted with, from the same Shuttle integration.
PCI Compliance
Shuttle is a PCI DSS Level 1 certified Service Provider, the highest tier of PCI DSS certification. That certification covers the entire card capture and processing environment: DTMF capture, tokenisation, gateway communication, and data storage.
What stays in Voiceflow and your application: conversation logic, intent recognition, session management, amount confirmation, and handling of non-sensitive webhook results. None of this constitutes cardholder data, so Voiceflow's platform and your application remain out of PCI scope.
What stays in Shuttle: all card data, from the moment a digit is entered on the keypad or a hosted checkout form, through to authorisation and tokenisation. Your call recordings and logs contain masking tones during the DTMF segment, not actual card digits.
This separation has a direct effect on your compliance obligations. When Shuttle handles all card data, your application qualifies for SAQ-A, the simplest self-assessment tier, rather than the SAQ-D obligations that applying to environments that touch card data themselves.
Voiceflow's SOC 2, ISO 27001, and HIPAA certifications cover information security and operational controls, but they do not constitute PCI DSS certification and do not make Voiceflow's infrastructure a compliant card data environment. The two certifications operate in different regulatory frameworks and address different risks.
Beyond Voice: Payment Links
From the same Shuttle integration, your Voiceflow chat agent can send a payment link mid-conversation. The customer clicks through to a Shuttle-hosted checkout page, completes the payment, and the result returns to your agent in real time.
Payment links work well for higher-value transactions where customers prefer to review details on screen, for web chat agents where DTMF is not available, and for post-conversation payment follow-up. Both DTMF and payment links use the same Shuttle infrastructure and the same per-transaction pricing, so you choose the method based on the channel and context, not the integration.
Use Cases
Outbound Sales
Voiceflow agents making outbound sales calls need to close at the moment of agreement. If the agent cannot take payment on the call, the sale is deferred and often lost. Shuttle captures the card in-call so there is no callback, no separate payment step, and no drop-off between agreement and charge.
Bill-Pay and Collections
Customer service and collections agents built on Voiceflow handle account queries where payment is a natural outcome. Rather than transferring the customer to a separate IVR or payment line, Shuttle lets the agent take the payment within the same conversation, cutting handling time and improving collection rates.
Bookings and Deposits
Voiceflow agents used for appointment scheduling, hotel reservations, or service bookings can capture a deposit or full payment to secure the booking before the call or chat ends. Taking payment at the point of commitment reduces no-shows and cancellations.
Customer Support Payments
Support agents that handle billing disputes, plan changes, or account top-ups often reach a point where a payment is needed to resolve the issue. Shuttle lets the agent complete that transaction without the customer needing to visit a separate portal or call a different number.
FAQ
Does Voiceflow process payments natively? No. Voiceflow does not have a native payment product. Its Stripe connector is a user-configured API block that generates a Stripe payment link sent by email or chat. There is no in-flow card capture, no PCI-compliant DTMF processing, and no gateway connection inside the Voiceflow platform.
How do I take PCI-compliant payments on Voiceflow? Connect Shuttle to your Voiceflow agent via your backend. At the payment moment, your application triggers a Shuttle payment session. Shuttle handles all card capture, tokenisation, and gateway routing inside its PCI DSS Level 1 certified environment, then returns a result to your agent. Your Voiceflow agent and application never see card data.
**Which payment gateways does Shuttle support?** Shuttle connects to 30+ gateways including Stripe, Adyen, Worldpay, Checkout.com, Braintree, Square, and Mollie. Each tenant or client can be routed to their own configured gateway from a single integration.
**Can I build PCI-compliant payment capture into my Voiceflow agents myself?** You can build a payment integration, but achieving PCI DSS Level 1 certification yourself requires a Qualified Security Assessor, quarterly scans, annual penetration testing, and an ongoing security programme costing hundreds of thousands of pounds per year. Shuttle provides the same certified infrastructure at $0.20 per transaction with no setup fees.
Does this work for outbound calls? Yes. Shuttle works for both inbound and outbound voice calls. Outbound sales agents built on Voiceflow can capture payment at the point of verbal agreement, with DTMF suppression active during card entry and the result returned to the agent before the call ends.
Related Reading
The Payment Layer for AI Agents: why AI agents need a dedicated payment layer and what that layer does
AI Voice Agent PCI Payments: the technical architecture for PCI-compliant card capture during AI voice calls
Voice Payments: IVR, agent-assisted, and AI voice payment models compared
Vapi Payments: PCI-compliant payment capture for Vapi AI voice agents
Retell AI Payments: secure payment capture for Retell AI voice agents
Add Payments to Your Voiceflow Agents
Shuttle gives Voiceflow agents PCI Level 1 card capture across 30+ gateways for $0.20 per transaction, with no setup fees, no monthly fees, and no per-seat licensing (see pricing). Voice and chat payment methods are included in the same integration.
See Voice Checkout | Book a discovery call