It’s important for all contact centres and …
…organisations to be able to accept credit card and debit card payments over the phone. The COVID-19 crisis has made it even more essential, as much in-store business is now being conducted over the phone or through other remote channels.
When you’re taking phone orders, you can be more at risk for credit card fraud and need to take additional precautions. You also need to take additional provisions to protect the security of your customers’ credit card information, as required to maintain PCI DSS compliance.
Compliance with the PCI DSS can often be misunderstood or vendors may not be fully aware of their obligations when taking remote or over the phone card payments, requirements such as:
- Never write down card information
- Don’t record the call
- Train all employees in the proper procedures and guidelines
These requirements are all common to hear and completely valid but can be misleading dependent on the understanding. For example; not recording a call is often cited as making a vendor compliant through the process of “pause and resume” during card processing. The reality is that manual pause and resume is not compliant, and the automated version is unreliable, problematic and makes up just one small part of the PCI DSS regulations.
We will go on to highlight the regulations in place for over the phone payment processing but it must be remembered that failure to remain secure and compliant when taking remote payments puts businesses and customers at risk and has huge fines and consequences for organisations, which can often result in closures.
What are the regulations for card payments over the phone?
For a card payment to be processed there are a set of payment services regulations that a merchant has to comply with. However, card payments over the phone are a bit different and businesses need to comply with the following:
Payment Card Industry Data Security Standard (PCI-DSS) is a compliance standard that applies to all organisations that process, store or transmit credit or debit card information. A PCI DSS compliant payment Solution Provider is a company that provides services to merchants helping them to comply with the PCI DSS, which is a requirement, and ensure proper processes in handling sensitive card information. PCI DSS Level 1 is a highest security standard that a Solution Provider can comply with.
Since MOTO (Mail Order & Telephony Order) payments involve transmitting and processing card information and are also classed as CNP (Cardholder Not Present) transactions which imply extra risk, security measures for card payments over the phone are particularly relevant. To process payments legitimately, all organisations must comply with the PCI DSS standards. Violation of these standards can result in huge fines, in over 60% of cases among SME’s, closed doors within 6 months of a breach. Some merchants taking phone payments might find it quite difficult to get card facilities in the first place, partly because of their process for handling cardholder data in an unsecure environment.
The law to protect our personal data. This data is defined as our names and email addresses as well as financial information, location information, ethnicity, gender, religion, web cookies and even political opinions. Data processing includes the storage of this information but also includes collecting, organising and even erasing. In practice, anything a business might do with a customer’s information is caught by the GDPR /Data Protection Act 2018.
When it comes to data processing, this must be lawful, fair, transparent, and limited to the purposes for which the subject originally consented, with no more than the absolute minimum to be stored. The data must be kept accurate and up to date, for only as long as its legitimate purpose lasts, and in a secure system, ideally using encryption. The business must be able to demonstrate its compliance if investigated.
Another set of regulations that influence online card payments are set by an EU Revised Directive on Payment Services (PSD2). It effects organisations within the European Economic Area and has been adopted by the UK. In addition, it imposes a new standard – Strong customer authentication (SCA) for online payments. However, it is only applicable for customer-initiated payments. Since using over-the-phone payments are processed by the merchant on behalf of the customer, they are called merchant-initiated and are exempt from requiring SCA.
A point to note – 3D Secure V2 does not apply to MOTO
3D Secure 2.0 is an authentication protocol that aims to reduce fraud and enhance security in online card payments. 3D Secure V2 does not currently apply at present to MOTO payments.
Cardholder Not Present transactions
Most Cardholder Not Present transactions today are online, where the customer is not physically present with the merchant when making a card payment. 3D Secure v2 and SCA have significantly reduced online CNP fraud, which make the more traditional CNP area of mail order and telephony order (MOTO) payments a target for fraudulent payments.
These channels still need to adhere to the regulations and guidelines listed above with each method containing its own particular security threats. It’s easy to see by the time each payment option is secured and made compliant the task of a contact centre or organisation to take multi-channel payments is monumental.
Any merchant wishing to process payments by phone or over remote channels needs to have a robust payment system that adheres to the regulations and minimises risk of fraud for themselves and their customers.
It does not matter whether the channel used is web chat or over the phone, or the size of the business that is involved, each merchant needs to remain compliant.
Doing this manually is almost impossible and the cost of creating an infrastructure and procedural guideline and maintaining it would be both hugely expensive and incredibly complicated.
This is the reason that PayGuard has been developed with a focus of creating compliant payment technology that allows the merchant to not only be compliant but be incredibly efficient and flexible with their payment processes.
Take payments over the phone with PayGuard
No matter what organisation you are in if you take payments over the phone being compliant is an absolute necessity. We understand and have made it our mission to make the process a synch!
You need to be compliant and to keep costs low. You also want taking payments to be simple and fast, helping your workforce to focus on the more important aspect of looking after your customer. Our over the phone payment systems make this all possible.
At PayGuard, we believe every business should be able to take secure, compliant payments over the phone. We also believe payment processing should be affordable too, with prices and benefits that suit each business need.
Learn more about PayGuard’s over the phone payment processing solution, or contact to discuss your need or arrange a free demo.