Mail Order / Telephone Order, commonly abbreviated as MOTO, remains one of the most significant payment channels for European businesses. Insurance companies, travel agencies, government services, utility providers, catalogue retailers, and B2B suppliers rely heavily on telephone payments. Despite the growth of e-commerce, MOTO transactions accounted for an estimated €180 billion in European payments in 2024 - and the channel continues to grow in sectors where personal assistance, complex orders, or regulatory requirements make phone interaction essential.
Yet MOTO environments present some of the most challenging PCI DSS compliance problems. Card data is spoken aloud by customers, typed into systems by agents, potentially displayed on screens visible to nearby staff, and captured in call recordings that may be retained for years. Each of these touchpoints represents an exposure point that must be secured under PCI DSS. For call centre operators, this creates a fundamentally different - and often more expensive - compliance programme than what is needed to secure an online checkout page.
- MOTO payments create a unique PCI scope: card data can be exposed via voice audio, agent screens, keyboard input, and call recordings simultaneously.
- DTMF masking and secure IVR allow customers to enter card digits via keypad so the agent never hears or sees the full card number.
- Call centres using a PCI Proxy with DTMF masking can typically qualify for SAQ A-EP instead of the far more demanding SAQ D.
What Are MOTO Payments and How Do They Work
MOTO payments are card-not-present (CNP) transactions in which the cardholder provides their card details by post or telephone rather than presenting a physical card or interacting with an online form. In practice, the vast majority of MOTO volume today is telephone-based. The typical flow is straightforward: a customer calls a business, an agent assists with the order, and when it comes time to pay, the customer reads out their card number, expiry date, and CVV. The agent types these details into a payment terminal, CRM system, or web payment form, and the transaction is processed.
The simplicity of this flow is precisely what makes it problematic from a PCI perspective. At multiple points during the interaction, sensitive card data exists in a human-accessible form: the customer speaks it aloud, the agent hears it (and potentially repeats it for confirmation), the agent's screen displays it, the agent's keyboard captures it, and - critically - the call recording system may store it. Each of these exposure points creates PCI DSS scope and requires specific security controls.
MOTO transactions are classified as card-not-present by card schemes, meaning they are subject to higher fraud rates and higher interchange fees than chip-and-PIN or 3D Secure authenticated transactions. This also means that liability for fraudulent transactions typically falls on the merchant - making robust security and compliance even more important.
PCI DSS Requirements Specific to MOTO Environments
PCI DSS does not have a separate standard for MOTO payments, but several requirements have specific implications for telephone payment environments. The standard applies to any system, process, or person that stores, processes, or transmits cardholder data - and in a call centre, this includes agents, their workstations, telephony infrastructure, the CRM or payment application, and the call recording system.
Key PCI DSS Requirements for Call Centres
- Requirement 3: Protect stored cardholder data. If card numbers appear in recordings, CRM records, or agent notes, they must be encrypted, masked, or ideally not stored at all.
- Requirement 4: Encrypt transmission of cardholder data. The telephone link between the customer and the payment system must be secured - this applies to SIP trunks, IVR connections, and agent desktop communications.
- Requirement 7: Restrict access to cardholder data. Agents should see only the minimum card data necessary, and access must be role-based and tracked.
- Requirement 8: Identify and authenticate access. Every agent must have a unique ID, with multi-factor authentication for systems handling card data under PCI DSS v4.0.
- Requirement 9: Physical security. Agent workstations in card handling areas must be in controlled environments with CCTV, badge access, and restrictions on personal devices.
For a call centre with no scope-reduction technology, these requirements translate into SAQ D - the most comprehensive PCI self-assessment questionnaire, with over 300 individual controls. The cost of maintaining SAQ D compliance for a call centre with 200 seats typically ranges from €120,000 to €250,000 per year, accounting for network segmentation, dedicated secure zones, QSA audits, penetration testing, security tools, and staff training.
The Call Recording Dilemma
Call recording is mandatory in many European industries. Financial services firms must record calls under MiFID II. Insurance companies record for dispute resolution and regulatory compliance. Customer service operations record for quality control and training. The problem is that if card data is spoken during a call and the call is recorded, the recording becomes a storage location for cardholder data - putting the entire recording infrastructure in PCI DSS scope.
PCI DSS Requirement 3.2 explicitly states that sensitive authentication data (including CVV/CVC codes) must not be stored after authorisation, even if encrypted. This means that if a customer speaks their CVV during a recorded call and the recording captures that audio, you are in violation of PCI DSS - regardless of whether the recording is encrypted. The CVV cannot be stored after authorisation, full stop.
The traditional solution was pause-and-resume: the agent manually pauses the recording when the customer begins providing card details, and resumes after the card has been processed. This works in theory but introduces operational risk. Agents can forget to pause, do so too late (after the customer has already begun speaking the card number), or fail to resume (creating gaps that raise regulatory questions). In high-volume call centres, pause-and-resume compliance rates of 95% or above are considered excellent - but that still means 5% of calls may contain card data in the recording, which is a PCI violation.
More critically, pause-and-resume leaves the agent fully exposed to card data. They hear the full card number, see it on screen, and type it into the payment system. The agent and their workstation remain fully in PCI scope, and all associated physical security, access control, and monitoring requirements apply.
Agent Security Protocols
In traditional MOTO environments - those without technology-based scope reduction - agents handling card data must operate under strict physical and procedural controls. These are driven by PCI DSS Requirements 7, 8, and 9, and are among the most costly and operationally impactful aspects of PCI compliance in call centres.
Clean room environments: Agents handling card data must work in physically secured areas. These "clean rooms" or "secure zones" require controlled access (badge readers, mantrap doors), CCTV monitoring, restrictions on personal mobile phones, cameras, and USB storage devices, and prohibitions on paper, pens, and any material usable for copying card numbers. Setting up and maintaining a clean room for a team of 50 seats costs €30,000–€60,000 for initial setup plus €10,000–€20,000 annually for monitoring, maintenance, and audits.
Screen masking and session controls: Agent desktop applications must be configured to mask card data on screen - typically showing only the last four digits after the card has been entered. Screen capture software must be blocked and clipboard access restricted. Session timeouts must be enforced and each agent must authenticate with a unique credential before accessing the payment system.
Background checks and training: Agents with access to cardholder data must undergo background checks (criminal record, identity verification) and receive annual PCI awareness training. They must sign acknowledgements of security policies and understand the consequences of non-compliance. For call centres with high turnover rates - common in the industry - the overhead of ongoing screening and training is substantial.
Headset and audio controls: In some high-security environments, agents use specialised headsets that prevent audio from being heard by adjacent staff. Acoustic barriers, white noise generators, and desk-spacing requirements may also be enforced. These physical controls add cost and reduce flexibility in call centre floor planning.
Technology Solutions for MOTO Compliance
The good news is that modern technology solutions can eliminate most of the human and physical security controls described above - ensuring agents never have access to card data at all. Three primary technologies address this challenge.
DTMF Masking
DTMF (Dual-Tone Multi-Frequency) masking is the most widely adopted technology for secure MOTO payments. When the agent reaches the payment stage, they click a button to initiate card capture. The customer is asked to enter their card number, expiry date, and CVV using their phone keypad rather than speaking the digits aloud.
A PCI Proxy sits between the customer's phone and the agent's audio stream. It intercepts the genuine DTMF tones (which encode the actual digits), captures them, and replaces the audio sent to the agent with flat, uniform tones. The agent hears "beep, beep, beep" but cannot determine which digits were pressed. The call recording also captures only flat tones. Meanwhile, the PCI Proxy tokenises the card number and returns a token on the agent's screen.
The result: the agent never sees, hears, or has access to the full card number. The call recording contains no cardholder data. The agent's workstation is out of PCI scope. And the customer experiences a smooth, natural payment interaction without being transferred to an automated system.
Secure IVR
Secure IVR (Interactive Voice Response) is an alternative approach in which the customer is briefly transferred to an automated voice system that collects card details. The agent is placed on hold during the capture process and has no access to card data. Once the card is tokenised, the call returns to the agent with the token displayed on screen.
Secure IVR is particularly useful in environments where DTMF reliability is a concern (some VoIP networks compress or distort DTMF tones) or where the customer base is less comfortable with keypad entry. The IVR can guide in multiple languages and provide clear instructions. The recording system either excludes the IVR segment entirely or captures only the automated instructions with no cardholder data.
PCI Proxy Tokenisation
Both DTMF masking and secure IVR feed into the PCI Proxy tokenisation engine. The proxy captures card data in a PCI DSS Level 1 certified environment, validates the card, tokenises the PAN, and returns a token on the agent's screen. The token can then be used for payment processing, stored in the CRM, and referenced for future transactions - all without any system in the call centre ever having access to the real card number.
This approach shifts the call centre from SAQ D (over 300 requirements) to SAQ A-EP (approximately 140 requirements) or even SAQ A (approximately 22 requirements), depending on the integration architecture. The cost savings are dramatic: €80,000–€150,000 per year for a typical 200-seat operation.
Compliance Approach Cost Comparison
The financial case for technology-based MOTO compliance is compelling. Here is a realistic comparison of the three main approaches for a European call centre with 200 seats processing 500,000 MOTO transactions per year.
| Cost Category | Traditional (SAQ D) | Pause & Resume | PCI Proxy + DTMF |
|---|---|---|---|
| Network segmentation | €25K–€40K | €20K–€35K | €0 |
| Clean room / physical security | €30K–€60K | €30K–€60K | €0 |
| QSA audit fees | €20K–€50K | €20K–€50K | €5K–€15K |
| Pen testing & scans | €15K–€30K | €15K–€30K | €5K–€10K |
| Security tools & monitoring | €15K–€30K | €15K–€30K | €3K–€8K |
| Staff training & screening | €10K–€20K | €10K–€20K | €2K–€5K |
| PCI Proxy subscription | - | - | €18K–€36K |
| Annual Total | €115K–€230K | €110K–€225K | €33K–€74K |
The numbers tell a clear story. Pause-and-resume offers negligible savings compared to the traditional approach because the agent still handles card data and all physical, procedural, and monitoring controls remain necessary. PCI Proxy with DTMF masking, by contrast, completely removes the agent from the card data flow - eliminating the need for clean rooms, extensive network segmentation, and much of the QSA audit scope. The total cost reduction is typically 60–75%.
Conclusion
MOTO payments are not going away. For many European businesses, telephone payments remain an essential channel - driven by customer preference, regulatory requirements, product complexity, or the need for personal assistance. But the PCI DSS compliance burden for traditional MOTO environments is disproportionately high relative to the risk, and the costs accumulate year after year with every audit cycle, staff turnover wave, and infrastructure upgrade.
Technology-based solutions - DTMF masking, secure IVR, and PCI Proxy tokenisation - fundamentally change the equation. By removing card data from the agent and call centre infrastructure, these solutions eliminate the root cause of MOTO PCI complexity. Agents are free to focus on customer service rather than security procedures. Call recordings remain continuous and complete, satisfying both PCI and regulatory requirements. And compliance costs fall by 60–75%, freeing budget for business priorities rather than security overhead.
If your call centre is still using pause-and-resume or traditional card capture, the question is not whether to adopt a PCI Proxy - it is how quickly you can implement one. The technology is mature, integration is straightforward, and the ROI is measured in weeks, not years.