ATO — Authentication Telephone Order: The Birth of Authenticated Telephone Payments

From insecure MOTO payments to secure ATO telephone payments with PBC 3DS, native 3D Secure, SCA and no Pay by Link.

From MOTO payments to native 3D Secure in voice: how PBC 3DS brings Strong Customer Authentication to telephone payments, removes the unnecessary switch to payment links, and lays the foundations for Secure Agentic Voice Commerce

For decades, telephone card payments have remained trapped under a label that describes their past more accurately than their true potential: MOTO — Mail Order / Telephone Order.

The term was originally created to classify remote transactions in which a merchant manually entered card details provided by mail, fax, or telephone. Under this model, the issuing bank had limited means of confirming that the person ordering the payment was the legitimate cardholder.

There was no strong authentication embedded in the transaction, and telephone payments consequently became associated with higher levels of fraud, disputes, and chargebacks.

But voice itself was never the problem.

The real problem was that the payments industry continued processing telephone transactions through a legacy architecture designed before e-commerce, biometric authentication, mobile banking applications, and EMV 3-D Secure.

That reality can now change.

ATO — Authentication Telephone Order is the term proposed by Pay by Call for a new generation of telephone payments in which the transaction no longer relies exclusively on possession of the card details. Instead, it incorporates Strong Customer Authentication — SCA — through 3D Secure without interrupting the call or redirecting the customer to an external website.

PBC 3DS, a technology developed by Pay by Call and the subject of international patent applications, transforms the telephone conversation into an authenticated payment channel.

The customer can remain supported by a human agent, an IVR system, or a conversational AI agent while their bank verifies their identity and authorises the transaction.

This is not an attempt to improve the old MOTO model.

It is an attempt to replace it.

The problem was not paying by telephone, but paying without authentication

The historically poor reputation of MOTO payments is not entirely unjustified.

Traditional card-not-present telephone transactions relied primarily on static card information:

  • the card number;
  • the expiry date;
  • and the card security code.

Anyone who obtained those details could attempt to use them without having to provide strong evidence that they were the legitimate cardholder.

In 2019, before the widespread enforcement of Strong Customer Authentication in Europe, approximately 80% of the value of card fraud originated from card-not-present transactions, principally e-commerce and other remote payments.

Since then, the deployment of SCA and EMV 3-D Secure has materially changed the risk landscape.

The joint report published in 2025 by the European Banking Authority and the European Central Bank showed that, during 2024:

  • total payment fraud within the European Economic Area reached approximately €4.2 billion, representing a 17% increase compared with 2023;
  • card fraud accounted for approximately €1.3 billion;
  • the overall card fraud rate was approximately 0.033% of the value processed;
  • for card transactions carried out within the European Economic Area, fraud in transactions without SCA was approximately twice as high, both by value and by volume, as fraud in transactions protected by SCA;
  • in transactions involving counterparties outside the European Economic Area, where SCA may not be mandatory, fraud without authentication was approximately three times higher by value and four times higher by volume;
  • and the fraud rate for European cards used outside the European Economic Area was approximately 17 times higher than the rate observed in domestic transactions.

These figures do not mean that SCA eliminates fraud completely. No individual security mechanism can do that.

They do, however, demonstrate that Strong Customer Authentication materially changes the risk profile of a remote transaction.

The conclusion is clear: if Strong Customer Authentication has helped protect e-commerce, the next logical step is to bring it to transactions initiated through the voice channel.

MOTO is a regulatory classification, not a security architecture

Under PSD2, certain transactions initiated by mail or telephone may be classified as non-electronic remote transactions and may therefore fall outside the mandatory scope of SCA.

However, the European Banking Authority has clarified that the classification depends on how the transaction is actually initiated and executed.

Where card details are entered manually by the merchant, there may be circumstances in which SCA is required.

The EBA has also warned against overly broad interpretations of the MOTO exemption and against using this classification as a means of avoiding Strong Customer Authentication. Regulatory proposals have included a clearer definition of MOTO, minimum security requirements, and a more restrictive interpretation of its scope.

This makes it essential to distinguish between three concepts that are still too frequently confused:

MOTO describes the historical method used to initiate certain remote transactions.

PCI DSS protects the environments in which card data is stored, processed, or transmitted.

3D Secure and SCA authenticate the cardholder through their issuing bank.

These are complementary layers, not interchangeable alternatives.

An organisation may correctly protect card information and comply with PCI DSS while still processing a transaction in which the issuing bank has not strongly authenticated the cardholder.

Likewise, a successful 3D Secure authentication does not replace the controls required to protect sensitive payment information within the contact centre, IVR, technology infrastructure, or merchant systems.

The PCI Security Standards Council recognises that telephone payments present specific risks involving people, processes, call recording, agent workstations, remote working, and the transmission of sensitive payment data.

Its guidance recommends minimising agent exposure to card information and limiting the scope of the environment in which card data can appear.

The correct evolution is therefore not to choose between PCI DSS and 3D Secure.

It is to combine:

data protection + cardholder authentication + bank authorisation + continuity of the voice experience.

That is ATO.

What is ATO — Authentication Telephone Order?

ATO is a remote payment transaction initiated within a telephone interaction in which the cardholder is authenticated by their bank through SCA and EMV 3-D Secure, while the call remains the primary channel for communication, assistance, and execution.

In an ATO payment:

  1. The transaction is linked to a specific merchant, amount, and payment purpose.
  2. Payment information is captured within a protected environment, preventing unnecessary exposure to the agent or to systems that do not need to process it.
  3. A 3D Secure authentication request is generated and linked to the transaction.
  4. The issuing bank evaluates the risk and determines whether the transaction can follow a frictionless flow or requires an additional verification step.
  5. Where a challenge is required, the cardholder authenticates through the mechanism established by their bank, such as a mobile banking application, biometrics, a password, a one-time code, or another supported factor.
  6. The telephone call remains active and the customer continues to receive assistance throughout the process.
  7. The authentication and authorisation results are returned to the voice workflow, the human agent, or the conversational system.

The customer may temporarily use their banking application to confirm the transaction if required by the issuer.

What disappears is the need to recreate the payment in another channel through a URL sent by SMS or email.

The call remains the transactional session.

3D Secure does not mean “three levels of security”

EMV 3-D Secure is the protocol used to exchange authentication information between the principal domains involved in a card-not-present transaction:

  • the merchant and acquiring environment;
  • the issuing bank;
  • and the interoperability infrastructure connecting the participants.

The protocol allows the issuer to receive contextual information about the transaction and perform a real-time risk assessment.

Where the issuer considers the available information sufficient, it may authenticate the transaction without requiring additional customer interaction. This is known as the frictionless flow.

Where further verification is necessary, the issuer activates a challenge flow.

The customer may then confirm their identity through biometrics, a mobile banking application, a password, a temporary code, or another authentication mechanism determined by the issuing bank.

EMV 3-D Secure is designed to reduce card-not-present fraud, support SCA, and allow lower-risk transactions to be authenticated through transparent flows. More recent versions of the protocol support additional data elements and enhanced mechanisms for improving risk assessment and reducing unnecessary challenges.

PBC 3DS brings this capability into the telephone environment.

It does not create a separate authentication system or attempt to replace the issuing bank.

Instead, it enables a transaction initiated through voice to participate in the 3D Secure ecosystem, allowing the issuer to authenticate the cardholder in the same way that it does within e-commerce.

It is therefore more accurate to say that ATO can provide telephone payments with the same bank-controlled authentication layer used in e-commerce, rather than claiming that 3D Secure alone guarantees absolute security across every component of the transaction.

From traditional MOTO to ATO

ElementTraditional MOTOATO with PBC 3DS
Transaction initiationTelephone, mail, fax, or manual entryVoice interaction linked to a specific transaction
Cardholder authenticationGenerally based on static card detailsSCA through EMV 3-D Secure
Issuer involvementPrimarily during authorisationRisk analysis, authentication, and authorisation
Channel continuityVoice used to collect information; payment often redirected elsewhereThe call remains the main transactional session
Exposure of card informationMay involve agent access or manual entryProtected capture and minimised exposure
Evidence of consentCall recordings, notes, or fragmented recordsAuthentication and traceability linked to the transaction
Customer experienceManual payment or subsequent payment-link deliveryReal-time, assisted payment
Readiness for AILimited and dependent on manual processesCompatible with voice agents orchestrating authenticated payments

The ATO designation does not, by itself, change the legal classification of a transaction.

That classification will depend on the implementation, the acquirer, the issuer, card-scheme rules, and the applicable regulatory framework.

The purpose of ATO is to establish a clear architectural principle:

a telephone transaction should no longer be defined by the absence of Strong Customer Authentication.

Pay by Link does not bring 3D Secure into the voice channel

In recent years, the industry’s most common response to the need for 3D Secure during a telephone interaction has been to send the customer a payment link.

The agent interrupts the process, generates a URL, and sends it through SMS, email, WhatsApp, or another messaging platform.

The customer must then:

  • receive the message;
  • find it among other notifications;
  • trust the sender and the domain;
  • open a browser;
  • wait for an external page to load;
  • locate or re-enter the required information;
  • complete the checkout;
  • perform the bank challenge where necessary;
  • and return to the call or wait for a separate confirmation.

The payment link does not itself “perform 3D Secure”.

It merely redirects the customer to a web page where an e-commerce transaction can be initiated and where 3D Secure may subsequently be performed.

This distinction is fundamental.

Pay by Link can be useful in asynchronous customer journeys, emailed invoices, messaging channels, quotations, or situations in which there is no real-time conversation.

What is inefficient is using it as the automatic response when the customer is already on the telephone, has expressed a clear intention to pay, and is being assisted by a person or voice system.

At that point, switching channels adds steps, applications, screens, delays, and new opportunities for abandonment.

Abandonment is not merely an assumption: friction can be measured

There is no universal, independent, public benchmark measuring the completion rate of every payment link.

Results vary according to:

  • the industry;
  • the transaction amount;
  • the link’s validity period;
  • the identity of the sender;
  • the customer’s device;
  • the prior relationship with the merchant;
  • and the urgency of the transaction.

It would therefore be inaccurate to claim that the general e-commerce cart-abandonment rate is identical to the abandonment rate of a payment link sent during a call.

However, there is strong evidence showing the cumulative impact of friction within digital payment journeys.

Baymard Institute places the average documented online shopping-cart abandonment rate at approximately 70.22%, based on around 50 separate studies.

Among the reasons reported by customers are:

  • 19%: lack of trust when entering card details;
  • 18%: a checkout process that was too long or complicated;
  • 15%: website errors or crashes;
  • 14%: inability to calculate the total cost in advance;
  • 10%: the preferred payment method was unavailable;
  • 8%: the card was declined.

Baymard also reports that the checkout processes it has analysed contain an average of approximately 11.3 form fields, even though many could be completed using around eight.

These figures come from general e-commerce, but they help explain the structural problem.

Every channel switch creates additional opportunities for failure:

the message does not arrive, the link expires, the page fails to load, the customer distrusts the URL, the application switch causes confusion, the transactional context is lost, the card is not immediately available, the verification code is entered too late, or the customer decides to complete the process later and never returns.

During a call, the intention to pay already exists.

The objective should not be to send the customer somewhere else.

It should be to allow the customer to complete, securely, the action they have already decided to perform.

The hidden cost of pushing the customer out of the call

Conversion is not the only metric affected by redirecting customers to payment links.

When the payment leaves the conversation, the organisation also loses part of its operational control.

The total process becomes longer

The agent must explain how the link will arrive, verify the mobile number or email address, wait for the customer to receive it, confirm the result, and in many cases contact the customer again.

Traceability becomes fragmented

The intention to pay is captured in the conversation, the link is generated in another platform, authentication takes place through the bank, and confirmation is returned through a different system.

Attempts and pending transactions multiply

Links may fail to open, expire, or remain unpaid. This can require new links to be generated and may create duplicate or ambiguous payment attempts.

Impersonation risk increases

Consumers are regularly warned about fraudulent URLs received through SMS and email.

The more the industry depends on payment links for legitimate collections, the more difficult it becomes for customers to distinguish genuine payment requests from smishing and phishing attacks.

Customer support is lost at the critical moment

If a question arises about the amount, invoice, payment purpose, card, or authentication process, the customer is no longer operating within the same environment as the agent.

Accessibility decreases

Not every customer has the same ability to move between a phone call, an SMS, a browser, and a mobile banking application.

ATO avoids this fragmentation.

It keeps the conversation, intention, authentication, and payment result synchronised.

Voice remains an essential customer channel

The assumption that every customer can simply be forced to move to a website or application does not reflect reality.

In Genesys’ global State of Customer Experience 2025 study, based on responses from more than 5,200 consumers and 1,100 business leaders, 71% of consumers stated that they still preferred the telephone when they needed assistance.

At the same time, Eurostat reports that only around 60% of the European Union population aged between 16 and 74 possesses at least basic digital skills.

This means that approximately four out of every ten people do not reach that level.

Even in widely adopted activities such as online banking, there remains a significant generational divide.

In 2025, online banking was used by approximately 61% of European internet users aged between 65 and 74, compared with approximately 78% of users between the ages of 25 and 64.

Spain has a very high level of internet usage. In 2025, 96.3% of people aged between 16 and 74 had used the internet during the previous three months.

However, only 59.6% had made an online purchase during the same period.

Internet access, digital autonomy, and willingness to complete a complex electronic payment journey are not the same thing.

Voice remains particularly relevant where there is:

  • a question that must be resolved before payment;
  • a debt or invoice requiring explanation;
  • an urgent situation;
  • a negotiated amount or payment schedule;
  • a customer with limited digital skills;
  • a failure in the online process;
  • a need for reassurance or human support;
  • or an interaction initiated by an agent, public authority, or customer-service operation.

This is why telephone payments remain difficult to replace in sectors such as:

  • public administrations;
  • utilities;
  • debt collection;
  • insurance;
  • transport;
  • travel;
  • healthcare;
  • donations;
  • citizen services;
  • and contact centres.

Public administrations: making a payment is not always the same as making a purchase

Traditional e-commerce generally begins with a purchasing decision.

The customer chooses a product, adds it to a shopping basket, and completes a checkout.

Public-sector interactions are different.

A citizen may call to discuss:

  • a traffic fine;
  • a public-service fee;
  • a tax;
  • a penalty;
  • an outstanding receipt;
  • or the status of an administrative procedure.

The need to make a payment may arise as a consequence of the conversation and may require prior explanation:

  • which authority is requesting the payment;
  • which case or file the amount relates to;
  • the payment deadline;
  • whether a surcharge applies;
  • whether instalments are available;
  • what happens after payment;
  • and how the citizen will receive proof of payment.

Forcing the citizen to abandon the call and locate a separate payment platform may reduce service quality, increase repeated enquiries, and disproportionately affect people with lower digital capabilities.

ATO allows the public authority to maintain the assistance and support while financial authentication remains under the control of the citizen’s bank.

Utilities: the invoice and the payment are part of the same conversation

In water, electricity, gas, telecommunications, and other essential services, customers often call because they:

  • do not understand an invoice;
  • need to settle an outstanding balance;
  • want to avoid a service interruption;
  • or have just agreed to a repayment arrangement.

The intention to pay frequently emerges only after the issue has been explained.

That moment has significant operational value.

If the agent sends a payment link and ends the call, the organisation converts an immediate resolution into a promise to pay at some later point.

ATO enables the organisation to complete the process within the interaction without sacrificing bank-controlled authentication.

The agent resolves the issue, the customer confirms the amount, PBC 3DS initiates authentication, and the result returns to the conversation.

Debt collection: from a promise to pay to an authenticated payment

In debt collection, the difference between “I will pay” and “the payment has been completed” determines the outcome of the entire interaction.

Sending a payment link introduces a time gap between negotiation and collection.

During that interval, doubts, interruptions, insufficient funds, mistrust, forgetfulness, or a simple change in priorities may prevent completion.

With ATO, payment can take place when the customer’s willingness to proceed is at its highest: immediately after agreeing on the debt, the amount, or the payment schedule.

Strong Customer Authentication also provides stronger evidence that the cardholder participated in the transaction, potentially reducing subsequent disputes and improving the quality of the audit trail.

Healthcare, insurance, and sensitive services: security without losing the human element

In healthcare and insurance, many transactions cannot be reduced to a simple online form.

The customer may need to:

  • confirm coverage;
  • make a co-payment;
  • pay for a consultation;
  • purchase additional protection;
  • regularise an insurance premium;
  • or pay for an urgent service.

These are situations in which explanation and trust can be as important as the payment itself.

Technology should not force organisations to choose between human assistance and security.

ATO makes it possible to combine both:

conversation, privacy, card-data protection, bank authentication, and immediate payment confirmation.

PBC 3DS: native 3D Secure within the voice experience

PBC 3DS is based on a simple principle:

Customers should not have to abandon the channel in which they have decided to pay in order to authenticate the transaction.

The platform keeps the telephone call as the central thread of the customer journey and coordinates the different components required to complete the payment.

Transactional context

The transaction is linked to the merchant, amount, and payment purpose communicated to the customer.

Protected capture

Card information can be entered using secure voice-channel mechanisms, including DTMF masking, preventing the agent from hearing or viewing the complete payment credentials.

3D Secure request

PBC 3DS generates an authentication request linked to the transaction.

Issuer risk assessment

The issuing bank decides whether the authentication can follow a frictionless flow or whether a challenge is required.

Strong Customer Authentication

Where required, the customer confirms the transaction through the authentication factors established by their bank.

Call continuity

The human agent, IVR, or AI agent remains available to guide the customer.

Authorisation and result

The response is integrated back into the telephone workflow and can be communicated to the customer immediately.

The difference between PBC 3DS and Pay by Link is not merely the elimination of a single click.

It is the avoidance of an entirely separate payment session disconnected from the original conversation.

How PBC 3DS works: secure card capture, SCA and native 3D Secure authentication, issuer authorisation and payment confirmation without leaving the voice call or using Pay by Link.

Security must be measured as a complete system

An ATO project should not be evaluated solely by the percentage of transactions authorised.

Relevant performance indicators should include:

  1. The percentage of customers agreeing to initiate payment during the call.
  2. The rate of successfully initiated 3D Secure authentications.
  3. The proportion of transactions authenticated through a frictionless flow.
  4. The challenge-completion rate.
  5. The bank-authorisation rate.
  6. Total conversion from payment intention to confirmed payment.
  7. Abandonment at each stage of the process.
  8. Average payment-completion time.
  9. Retries and pending payments.
  10. Fraud, disputes, and chargebacks.
  11. Agent exposure to card information.
  12. The PCI DSS scope of the customer’s infrastructure.
  13. Customer satisfaction and perceived effort.
  14. Operational cost per completed payment.

These metrics enable organisations to compare payment architectures fairly.

It is not enough to calculate the cost of sending an SMS.

The relevant figure is the cost of achieving a payment that is:

  • completed;
  • authenticated;
  • reconciled;
  • and not subsequently disputed.

From a legacy exemption to strategic infrastructure

European payments regulation continues to move towards stronger fraud protection, greater accountability in authentication, and a more precise definition of exemptions.

In November 2025, the European Parliament and the Council reached a provisional political agreement on the future European payments framework, including PSD3 and the proposed Payment Services Regulation.

As of May 2026, the text was still awaiting formal adoption and final publication.

Among its objectives are stronger fraud prevention, greater transparency, and a regulatory framework more capable of adapting to technological innovation.

Regardless of the final wording, the regulatory direction is clear.

The industry will increasingly need to justify why certain transactions are not authenticated and demonstrate that exemptions are not being used to reduce customer protection.

ATO moves in the opposite direction to the avoidance of SCA.

It does not attempt to preserve a historical exemption.

It brings authentication into the channel that previously lacked it.

The future will not only be human. It will be conversational and agentic

The next transformation is already under way.

AI agents are evolving from systems that simply answer questions into systems capable of executing actions, including:

  • searching for products;
  • comparing offers;
  • booking services;
  • modifying contracts;
  • resolving incidents;
  • and preparing payments.

Visa has introduced its Trusted Agent Protocol, designed to help merchants distinguish authorised AI agents from malicious bots.

Google has developed the Agent Payments Protocol — AP2 — to support agent-initiated payments with verifiable evidence of intention and authorisation.

Mastercard is incorporating verifiable-intent capabilities into its Agent Pay environment.

In 2026, EMVCo established a dedicated working group to examine consumer authorisation, trust, privacy, and interoperability within agentic payments.

EMVCo has also indicated that existing technologies such as EMV 3-D Secure, payment tokenisation, and Secure Remote Commerce may have an important role in the future of agentic commerce.

However, much of this development is being designed primarily for websites, applications, and visual e-commerce environments.

Voice must not be excluded again.

Secure Agentic Voice Commerce

Secure Agentic Voice Commerce is the next stage of development, in which a conversational agent can assist, prepare, and execute a commercial transaction through voice within a framework of verifiable consent, authentication, and traceability.

It does not mean allowing artificial intelligence to listen to card numbers and make autonomous charges.

It means building a secure sequence:

  1. The customer verbally expresses a need.
  2. The agent identifies the service, debt, booking, or transaction.
  3. It explains the conditions, amount, and beneficiary.
  4. It obtains explicit and verifiable authorisation.
  5. It initiates a transaction linked to a defined amount and merchant.
  6. PBC 3DS asks the bank to perform Strong Customer Authentication.
  7. The cardholder confirms the transaction through the factors established by their bank.
  8. The agent receives only the payment result required to continue the process.
  9. An auditable record is generated covering intention, consent, authentication, and outcome.

Under this model, AI does not replace the financial system or unilaterally decide when a customer should be charged.

The AI manages the conversation.

The customer expresses the intention.

PBC 3DS links authentication to the transaction.

The bank verifies the cardholder.

The issuer and acquirer authorise the payment.

The platform maintains traceability.

This separation of responsibilities will be essential for agentic commerce to operate with trust.

An example: paying a traffic fine through a voice agent

A citizen calls a local authority to ask about a traffic fine.

A conversational agent identifies the case, explains the amount, provides information about the deadline, and confirms that the citizen wishes to pay.

Under the current model, the system might send a link by SMS.

The citizen must then partially abandon the conversation, open the message, verify that it is legitimate, access a webpage, identify the case, and complete a checkout.

Under a Secure Agentic Voice Commerce model:

  • the case has already been identified;
  • the amount has already been explained;
  • the intention to pay has already been expressed;
  • PBC 3DS initiates authentication linked to that specific transaction;
  • the bank verifies the cardholder;
  • the payment is authorised;
  • the agent communicates the result;
  • and the citizen receives proof of payment.

The process is not recreated in a different channel.

The transaction is protected in the channel in which it is actually taking place.

From customer experience to authenticated execution

For years, the contact-centre industry has focused on:

  • customer experience;
  • automation;
  • natural-language understanding;
  • voice biometrics;
  • virtual assistants;
  • and reductions in average handling time.

Yet payment remained the point at which the conversation stopped.

The agent could inform, negotiate, resolve, and persuade.

But when the moment came to execute the transaction, the customer was redirected to a payment link or a separate process.

ATO removes this discontinuity.

It transforms voice into a channel capable not only of holding a conversation, but of completing an authenticated financial action.

PBC 3DS provides the missing component that allows this capability to extend from human agents to the next generation of artificial-intelligence agents.

Conclusion: voice does not need to disappear. It needs to be authenticated

The payments industry attempted to address the risks of MOTO by moving payment away from the telephone.

First, it allowed transactions to be manually processed under certain exemptions.

Later, it attempted to redirect customers to e-commerce through payment links.

But telephone calls have not disappeared.

Citizens continue to call public administrations.

Customers continue to ask questions about their bills.

Businesses continue to negotiate outstanding debts.

Patients continue to need assistance.

Travellers continue to resolve urgent incidents.

Consumers continue to use voice when a situation is urgent, sensitive, or complex.

The solution is not to force them into another channel.

The solution is to bring the same authentication ecosystem that transformed e-commerce security into the voice channel.

MOTO represented a telephone transaction without Strong Customer Authentication.

ATO represents an authenticated telephone transaction.

With PBC 3DS, the issuing bank can verify the cardholder through SCA and EMV 3-D Secure, the call remains active, and the customer completes the payment without having to recreate the transaction through an external link.

When conversational agents begin executing commercial transactions on behalf of individuals and organisations, this same infrastructure can become the foundation of Secure Agentic Voice Commerce.

The future of telephone payments is not about abandoning voice.

It is about authenticating it.

Pay by Call does not send customers away from the conversation so that they can pay. It brings the security of e-commerce into the conversation.

A note on the ATO terminology

Within the cybersecurity and fraud-prevention industry, the acronym ATO is also frequently used to mean Account Takeover.

For this reason, Pay by Call should consistently use the full expression “ATO — Authentication Telephone Order” in the article title, the first reference, metadata, social-media posts, and marketing communications.

This will help establish Authentication Telephone Order as a clearly differentiated category and avoid confusion with the established fraud-related meaning of the acronym.