Skip to main content
VVocazAI
Sign inGet started
All articles
Published on6 min read

Taking card payments over the phone with an AI voice agent: what PCI DSS actually allows

An AI voice agent must NEVER hear a card number. Yet it can still collect a payment in 90 seconds. Here are the 3 PCI-DSS-compliant architectures and which one fits.

  • agent vocal ia
  • paiement
  • carte
  • pci
  • dss

'Can my AI voice agent take a card over the phone?' is the question that separates light deployments (bookings) from heavy ones (e-commerce, hospitality, services). The answer isn't binary. Yes to triggering it; no to hearing the digits. Here are the 3 architectures that stay PCI-DSS-compliant — and which one fits your business.

Why the agent must NEVER hear the 16 digits#

If the card number passes through your server (transcription, recording, logs), you fall under PCI DSS Level 1 — annual audits at $30k+, isolated infrastructure, brutal compliance. No SMB wants that. Solution: trigger every payment, never capture the number on the agent side.

Architecture 1 — post-call payment link SMS#

Agent confirms the amount, says 'I'll text you the payment link, you pay, I confirm the order within 30 seconds'. Generates a one-shot Stripe/Mollie/Adyen link via webhook, SMS goes out in 2s, customer pays on their phone. Conversion rate: 75-85%. Pros: zero PCI on the agent, instant capture. Most-used.

Architecture 2 — secure DTMF IVR transfer#

Agent says 'I'm transferring you to the secure payment system, please enter the 16 digits then expiry date'. Call routes to a PCI-certified IVR (Sycurio, PCI Pal, CallVU) that captures DTMF tones WITHOUT transmitting them to the agent or logging them. At the end, return to the agent who only receives 'payment OK' or 'failed'. Compatible with seniors who don't use SMS.

Architecture 3 — prepayment via web form#

For services booked before payment (medical consult, masseur, esthetician), agent emails a confirmation/prepayment link during the call. Customer pays on their computer within 5 minutes. Strongly reduces no-shows (payment = commitment). Sweet spot for baskets > $90.

What NOT to do#

  • Ask the agent to repeat the card number 'to confirm' — instantly violates PCI DSS.
  • Pause recording during entry — STT transcription still runs. Audit disaster.
  • Promise 'SMS receipt' with the card number in it — absolute ban.
  • Ask for CVV even if you have the PAN secured elsewhere — CVV never stored. Period.

Cost comparison#

  • Stripe Checkout link via SMS: 1.4% + $0.30 per transaction. No setup.
  • PCI-certified IVR: $250-600/month + $0.10 per routed call. Justified at > 1000 payments/month.
  • Self-hosted PCI: $35k/year minimum. Mid-market and up.

The 1-question decision#

Do your customers use SMS daily? Yes = Architecture 1 (SMS link). No (seniors, B2B shared phones) = Architecture 2 (DTMF IVR). Deferred sale > $90 = Architecture 3 (web payment). First month VocazAI free to orchestrate the one that fits.

Top

Read next

Cloning the founder's voice into your AI voice agent: useful, dangerous, or both?Cloning your own voice costs $35 and 3 minutes of audio. But 60% of the businesses that try regret it. Here's when voice cloning helps conversion, and when it breaks your brand.Read articleWhen the customer switches language mid-call: how the AI voice agent followsA customer starts in French, gives their order number, slips three Arabic words, then finishes in English. Here's how an AI voice agent keeps context without resetting.Read article

Set up in 48h · no setup fees

Try VocazAI for free

First month free · no credit card · cancel anytime

CALLBook a demo