To be SCA compliant, you need to show the intent of the user in-session. We take the approach of signing the cart using a user owned agent, which is compliant with AP2/ACP and now UCP specs.
Our IVR was replaced with an AI virtual agent that is a combination of answering questions but mostly sending calls to the right place.
If it is something like updating payment details or paying an invoice, they are transferred out of AI into a typical architect IVR flow (secured, no dtmf tones etc) and request their details in the specific order.
There is no way we would get sign off to feed customer credit card information into any AI model.