IVR + PCI: A match made in hellven?

Voice is the Interface Most Likely to Touch Payments
How Builders Handle Sensitive Data Today (and Why It's Fragile)
Tokenization is the Trust Layer Making Agentic Commerce Work
Designing for the Agentic Future
Real World Example: Receiving Payment Data from Twilo's IVR
Final World

It feels like it was yesterday that my dad was yelling at the news channel and telling me not to trust TV, and now it is me who is telling him that the cat playing the guitar video that he found on WhatsApp is AI-generated.

It has been almost two years since I published the Shopify JS package, marking my first serious use of AI for research and development (full history here), back when Google's Bard and GPT-4 models were clueless.

Today, AI agents are no longer just answering questions. They’re selling products, collecting debts, onboarding users, and increasingly, they’re being asked to take payments. That shift is real, and it’s going commercial fast.

This isn’t just about smarter chatbots. These agents are acting. They’re completing tasks, closing tickets, and finalizing sales. They’re taking over workflows that were once owned by humans. And they’re doing it across:

Sales: Guiding prospects, capturing details, closing deals.
Onboarding: Collecting documents, provisioning access, and setting up users.
Billing and Collections: reminding, transacting, negotiating (okay, maybe this is a stretch.)

What’s new is the channel. We’ve gone beyond chat. Agents are landing on the voice interface: phone calls, IVRs (Interactive Voice Response), even drive-thrus. And voice brings a new kind of surface area: real-time capture, speech-to-text complexity, and critical payment compliance risk.

“Support and commerce are merging inside these interfaces.”

My CEO, aka Vault Daddy Colin Luce, said it best: Agentic software is already touching the places where money moves.

Voice Is the Interface Most Likely to Touch Payments

You can’t just bolt on PCI compliance when an AI is collecting a card number over the phone. But that’s where this is headed.

Real examples:

Banking: Bank of America's Erica, Capital One’s Alexa skill, and AmEx’s voice-activated account agents all support voice interaction for payments.
Collections: Skit.ai’s deployment at Southwest Recovery enables outbound debt collection with voice agents that collect payments on the call. DBS Bank built its own internal voice AI to avoid sending sensitive data off-platform.
QSR: Taco Bell, Wendy’s, and Domino’s are using drive-thru voice bots. Most don’t take cards yet, but payments are the next obvious step.
Retail: Amazon and Walmart are using chat agents to drive purchases. Checkout isn’t far behind.

Most of these interfaces start with discovery or support. But over time, they drift into transaction territory, and when they do, voice becomes a liability without a compliance strategy.

Return to Top

How Builders Handle Sensitive Data Today (and Why It’s Fragile)

When agents start handling payment data, most teams follow a similar journey:

YOLO: The urgency to ship outweighs security concerns. Payment data gets piped straight into LLMs or orchestrators without isolation, logging, or masking. It works until someone requests a compliance review or customer cards begin appearing in AI-generated test cases on the GitHub of a random overseas company.
Twilio Pay: It’s a solid starting point. You can offload PCI scope to Twilio, but it only supports a narrow set of processors.
Homegrown Vaults: Some teams try to store and encrypt cards themselves. That works until scale, audits, or processor flexibility break the model.
Direct-to-Processor: Risky, even if it works, it locks you into single vendors and invites data fragmentation.

In larger orgs, the concern is even more foundational: banks like DBS are building their own speech infra just to avoid exposing voice data externally.

Return to Top

Tokenization Is the Trust Layer That Makes Agentic Commerce Work

Here’s the unlock: if agents are going to transact, they need tokens, not raw card data. Well, maybe some metadata*. “Yes, sir, do you want to use your Visa ending in 4242 to purchase that PlayStation 5 for your newborn?”*

That’s where Basis Theory comes in. We provide the infrastructure to:

Tokenize card and sensitive data before any AI system sees it.
Support any voice stack (Twilio, Amazon, etc.) and processor (Stripe, Chase, Adyen, etc.)
Keep large language models, call logs, and orchestrators out of PCI scope.

Here is an oversimplified diagram.

Tokenization-IVR

Tokens move through the agent. Sensitive raw data doesn’t. That’s the boundary that makes agentic payments safe.

Return to Top

Designing for the Agentic Future

You can’t bolt on security once you’re in production. We’ve seen it. So we recommend designing with:

Data minimization: Agents work on tokens, not real card data.
Auditable scopes: Define exactly what parts of your stack touch PCI.
Multi-agent orchestration: Support new processors, channels, and LLMs without scope creep.

“A token is how you tell your AI what it can know — and what it shouldn’t.”

Return to Top

Real-World Example: Receiving Payment Data from Twilio’s IVR

Let’s say your voice agent uses Twilio <Pay> to collect card data through a keypad or spoken input, and you are using that high-risk merchant-friendly Payments Processor that offers the best fees, and no one knows about.

It turns out, Twilio doesn't have your PSP listed in its catalog. And even if it did, you want to be able to decide the account / MID to use, depending on the product being sold. You know, tax optimization is still legal.

Note from the author: I hereby declare I came up with the aforementioned scenario, and it is not an AI summary from 3 real-world customer call transcripts.

You can’t send that card information directly to your app. But you can send it to Basis Theory.

Here are the two developer guides you need:

Long story short, you need to create a Generic Pay Connector in Twilio, and an Inbound Pre-configured Proxy in Basis Theory to make this happen:

IVR + PCI - Interactive Voice Response

That custom code is called a Proxy Request Transform, which handles the Twilio payload (and any other, obviously). Here is an example:


const { BasisTheoryClient } = require('@basis-theory/node-sdk-2');

module.exports = async function (req) {
  // splitting the transform request parameters
  const {
    applicationOptions: { apiKey },
    args: { body, headers }
  } = req;

  // initialize the SDK
  const client = new BasisTheoryClient({ apiKey });

  // body is Twilio's charge transaction payload
  const {
    // extract the payment information
    cardnumber,
    expiry_month,
    expiry_year,
    cvv,
    ...rest
  } = body;

  // tokenize in the vault
  const tokenIntent = await client.tokenIntents.create({
    type: 'card',
    data: {
      number: cardnumber,
      expiration_month: expiry_month,
      expiration_year: expiry_year,
      cvc: cvv
    }
  });

  // return the original payload to your systems without the PCI data in it
  return {
    body: {
      tokenIntent,
      ...rest
    },
    headers
  };
};

You stay out of PCI scope. The voice agent works. The transaction goes through. Everyone wins.

Return to Top

Final Word

AI agents are here to work. They’re not novelty features anymore. They’re taking on real responsibilities: commerce, collections, checkout.

If they’re going to act on behalf of your brand, they need infrastructure that’s trustworthy. Tokens aren’t just secure, they’re how you scale safely.

Basis Theory is how agents transact securely.

Where to find me:

support@basistheory.com

Return to Top