PaymentsUnified commerceMail order / telephone order (MOTO)

Mail order / telephone order (MOTO)

Accept card payments over the phone or by mail without the cardholder present.

View as MarkdownInstall skills

Mail Order / Telephone Order (MOTO) is a card-not-present transaction initiated by a merchant operator rather than the cardholder. It covers phone bookings, written mail orders, and call-centre payments — any situation where a staff member collects payment details on behalf of a customer who is not interacting with a payment terminal or checkout page. VINR supports three MOTO paths: direct API submission, a browser-based virtual terminal in the dashboard, and manual key entry on a physical terminal. Choose the path that matches your PCI scope and operational setup.

MOTO via APIAsk

When your staff collects card details verbally — over the phone or from a written order form — your server can submit those details directly to the VINR Payments API. Set moto: true on the payment to flag it as a card-not-present MOTO transaction. VINR applies the correct interchange category and bypasses 3DS (see 3DS and authentication).

import { Vinr } from '@vinr/sdk';

const vinr = new Vinr({ secretKey: process.env.VINR_SECRET_KEY });

const payment = await vinr.payments.create({
  amount: 9900,
  currency: 'GBP',
  moto: true,
  paymentMethod: {
    type: 'card',
    card: {
      number: '4111111111111111',
      expMonth: 12,
      expYear: 2027,
      cvc: '123',
    },
  },
  billingDetails: {
    name: 'Jane Smith',
    address: {
      line1: '14 Regent Street',
      city: 'London',
      postalCode: 'SW1Y 4PH',
      country: 'GB',
    },
  },
  reference: 'order_3821',
});

The API path puts raw card data through your server. This places you in SAQ-C (or higher) PCI DSS scope. Only use direct API submission if your environment has appropriate PCI controls in place — network segmentation, key management, and annual assessment. If you cannot meet that bar, use the virtual terminal instead.

MOTO via virtual terminalAsk

The Virtual Terminal is a browser-based card form hosted entirely by VINR. Your staff opens Operations → Virtual Terminal in the VINR dashboard, enters the cardholder's details, and submits the payment. Raw card data is entered into VINR's page — your network and systems never touch it.

Open the Virtual Terminal. In the VINR dashboard navigate to Operations → Virtual Terminal. Any staff member with the Payments Operator role can access it.

Enter the order details. Set the amount, currency, and an internal reference (order number, booking ID, etc.) before entering card details.

Enter the card details. Type the card number, expiry, and CVC into the hosted fields. Optionally enter the cardholder billing address to trigger AVS.

Submit the payment. VINR processes the charge and displays an immediate result. A receipt can be emailed to the customer from the confirmation screen.

Reconcile via the dashboard or webhooks. The payment appears in your transaction list immediately. If you have a backend webhook listener, a payment.completed event arrives within milliseconds.

Because raw card data never touches your systems, the Virtual Terminal path reduces your PCI scope to SAQ-A. Use it when:

  • You lack the infrastructure to meet SAQ-C requirements for the API path.
  • Your call-centre staff already work in a browser environment.
  • You want supervisory controls (role-based access, audit log) without custom integration work.

Use the API path instead when you need to embed MOTO processing inside a proprietary CRM, telephony platform, or order management system.

MOTO via terminal key entryAsk

On a VINR terminal, staff can manually enter a card number on the physical keypad when the customer is not present to tap or insert. This is known as manual key entry. See In-person features — manual key entry for the full terminal walkthrough.

Terminal key entry suits low-volume phone orders at a physical location — a hotel front desk taking a booking, a restaurant confirming a reservation deposit, or a repair shop billing a job agreed over the phone. Staff are already at the terminal for in-person transactions, so no additional hardware or software is required.

Manual key entry via a certified VINR terminal is classified as SAQ-B. Card data is entered into a certified hardware device and encrypted immediately — it does not pass through any software on your network. This is a lighter scope than the API path (SAQ-C) but requires a physical VINR terminal.

For the terminal MOTO flow (configuring the terminal and enabling key-entry mode) see In-person features.

3DS and authenticationAsk

MOTO transactions are explicitly excluded from Strong Customer Authentication (SCA) requirements under PSD2 Article 18. Because the cardholder is not present to authenticate, 3DS cannot be applied. VINR automatically marks API payments with moto: true as out-of-scope for 3DS and does not request an authentication challenge.

The exclusion from SCA means there is no liability shift to the card scheme. For MOTO transactions, the merchant bears full chargeback liability regardless of whether the card details were correct. A fraudulent MOTO transaction that a cardholder disputes will result in a chargeback against your account. Use the fraud controls below to reduce exposure.

Reducing fraud riskAsk

Card-not-present fraud is more common in MOTO than in card-present channels. Apply as many of these controls as your volume justifies:

  • AVS (Address Verification Service) — pass billingDetails.address on every MOTO payment. VINR returns an avsResult code on the payment object. Decline or flag payments where the postcode or full address does not match.
  • CVC check — always collect and submit the CVC. VINR returns a cvcResult code. A no_match result is a strong fraud signal.
  • Velocity limits — configure per-card and per-IP velocity rules in Operations → Fraud prevention to block rapid repeat attempts with the same card number.
  • Shipping-address match — for physical goods, compare the shipping address against the billing address. A significant mismatch warrants manual review before fulfilment.
  • Tokenize repeat customers — for customers who order regularly by phone, complete an initial MOTO charge and save a reusable token. On subsequent calls, staff look up the customer record; you charge the token without re-collecting card details. See Tokenization.

MOTO-specific field referenceAsk

Prop

Type

Next stepsAsk

Pay by link

Send a payment link by SMS or email so customers pay on their own device — no card details collected by staff.

Tokenization

Save a card token after an initial MOTO charge so repeat customers never need to read their card details again.

Result codes

Understand AVS, CVC, and decline codes returned on MOTO payment responses.

Was this page helpful?
Edit on GitHub

Last updated on

Pay by link (in store)

Send a payment link to a customer who is in your store but prefers to pay on their own device.

Cross-channel loyalty

Earn and redeem loyalty points on every channel — online, in-store, and mobile — using VINR's unified commerce and engagement stack.

On this page

MOTO via APIMOTO via virtual terminalMOTO via terminal key entry3DS and authenticationReducing fraud riskMOTO-specific field referenceCall-centre CTI integrationCombining MOTO with recurring paymentsMOTO refundsMOTO chargeback handlingNext steps