Compliance Requirements

PCI Compliance for Phone Payments (MOTO): What UK Businesses Need to Know

Taking card details over the phone is one of the trickiest areas of PCI DSS — especially if you record calls. Here's how MOTO payments work under PCI and how to stay compliant.

Fraud Defence First
27 June 2026
6 min read

Taking card details over the phone — known as MOTO (Mail Order / Telephone Order) — feels simple, but it is one of the easiest ways for a business to fall out of PCI compliance without realising it. The problem is rarely the payment itself; it's everything around the call.

Phone payments are in scope

When a customer reads their card number to a staff member who keys it into a virtual terminal, cardholder data is being processed by your business and your people. That brings the call environment, your staff and your systems into PCI scope. Depending on your setup this typically means SAQ C-VT (for a virtual terminal) or, in more complex cases, SAQ D.

The call-recording trap

Many businesses record calls for training or quality. If a recording captures the customer reading out their card security code (the 3- or 4-digit CVV2/CVC2/CID), you are storing sensitive authentication data — which PCI DSS prohibits keeping after authorisation. Recording the card number (PAN) itself isn't outright banned, but it pulls the recording into PCI scope and the number must be protected. Either way, a well-meaning call-recording policy can quietly create a serious compliance problem.

How to take phone payments compliantly

  • Never store the card security code (the 3- or 4-digit CVV2/CVC2/CID) anywhere — including in call recordings or notes.
  • If you record calls, pause-and-resume recording around card capture, or use DTMF masking so customers key digits into their phone instead of speaking them.
  • Use a virtual terminal from a reputable provider rather than writing details down.
  • Train staff never to write full card numbers or security codes on paper or in chat.
  • Restrict who can take payments and access any payment systems.

Technologies like DTMF masking and descoping solutions can take your phone lines almost entirely out of PCI scope. Which approach is right depends on your call volumes and systems — and on getting the right SAQ in the first place.

If you take payments by phone and aren't sure you're compliant, our managed service will review your setup and get you validated. The complete PCI DSS guide has the wider context.

Check your phone-payment compliance

Need Expert PCI Compliance Help?

Our PCI compliance specialists are here to guide your business through the certification process. Get personalised advice and ensure your business stays compliant.

Get Free ConsultationBook Assessment Call
Back to All Resources