Can an AI take payments over the phone?

Yes, but only through a PCI-compliant flow. Modern AI voice platforms use DTMF masking or tokenized payment links to collect card data without exposing it to the AI or to call recordings.

Written By Rick Garcia

Last updated About 2 hours ago

Yes โ€” an AI voice agent can take payments over the phone, but only if it's running on a PCI-compliant platform that handles card data correctly. On a properly configured platform, the AI never hears or stores the card number; the digits are captured through a protected channel and immediately tokenized.

Platforms that don't handle this correctly should not be taking phone payments at all. Capturing card data through a general-purpose AI conversation would expose card numbers in call recordings, transcripts, and the AI's context โ€” a serious violation of PCI DSS.

The two compliant ways to take payments over the phone with AI

โ€ขDTMF masking (keypad entry) โ€” the AI asks the caller to enter their card number on the keypad. The tones are intercepted and sent directly to the payment processor without passing through the AI's context or the call recording. The AI sees only a success or failure result.

โ€ขTokenized payment link โ€” the AI sends the caller a secure, single-use payment link by text during the call. The caller completes payment on a PCI-compliant web page, and the AI receives only a confirmation.

Both keep the card number out of the AI, out of call recordings, and out of your systems entirely.

What the AI can do during a payment call

  • Explain the amount due, breakdown, and due date

  • Verify the caller's identity to the level your business requires

  • Route the caller through the correct payment flow (DTMF or link)

  • Confirm successful payment or retry on failure

  • Email or text a receipt

  • Update your billing system with the new payment status

  • Escalate to a human for disputes, refunds, or unusual situations

What an AI platform should have in place to take payments

  • PCI DSS SAQ D compliance as a service provider

  • A signed service-provider agreement with PCI-specific terms

  • Proven DTMF masking or tokenized-link infrastructure

  • Clear data handling โ€” card data never in recordings, transcripts, logs, or model context

  • Audit logs of every payment attempt for your records

Common use cases

  • Service businesses collecting balance-due or deposit payments

  • Healthcare practices collecting copays or outstanding balances

  • Professional services collecting consultation fees at booking

  • Subscription or membership businesses collecting renewals

  • Late-payment collection (with all the usual legal and compliance considerations)

What a non-compliant "AI taking payments" looks like

  • The AI asks the caller to read their card number aloud

  • The card number appears in the call recording or transcript

  • The AI repeats the card number back to "confirm"

  • The card data is stored unencrypted in the platform's logs

If any of these happen, the platform is not PCI-compliant โ€” even if it calls itself "PCI-ready." Ask for the platform's Attestation of Compliance (AoC) before taking any phone payments through their AI.

Related concepts

See it in action

The Receptionist Agent at 365agents supports both DTMF masking and tokenized payment links for phone payments. We're a PCI DSS SAQ D service provider, and our Attestation of Compliance is available through our Trust Center.