How to Keep Credit Card Over Phone Orders PCI Compliant

Card payments are quickly becoming the most popular method of payment among customers. To cope with the high demand for cashless payments, businesses, especially SMEs, transition to accepting a more comprehensive range of payment solutions.

With consumers changing the way they buy, it’s becoming more critical for your business to offer POS, online, and contactless payment options. But have you considered the requirements of getting paid over the phone without the associated risk?

See Also: PCI Compliance For Call Centers

Suppose you accept payment cards through any transaction channel such as physical pos, telephone, or e-commerce. In that situation, you must adhere to the PCI DSS (Payment Card Industry Data Security Standards). PCI refers to the transaction channels as “card present” or “Card not present.”

See Also: What You Should Know About PCI Compliant Call Recording

Existing card transactions require card completion, such as retail stores where you swipe your payment card to make purchases. Transactions where the card is not available, require further verification that you are the cardholder. You may be asked for the card’s expiration date or the CVV value (card verification value), which is a code on the back of the card that the cardholder should only know.

Credit card orders over the phone are classified as cardless transactions; however, it is often significantly different from e-commerce transactions. The critical difference is that phone payments usually require the involvement of a call center or contact center representative.

The transaction flow for phone orders can have multiple configurations, and PCI DSS requirements must be considered in each type of configuration. For example, the flow of a credit card transaction over the phone may include the following items:

  • A telephone system that is based on the Internet Protocol (IP).
  • A representative from a call center or a communication center,
  • Whether or not an order entry application is open to the public,
  • Call records containing credit card information
  • Agents use pin pads to enter payment card information.
  • Customers can submit payment card information without human involvement using an interactive voice response unit.

PCI compliance for phone-based credit card payments can be complex depending on how much of the above you use. Furthermore, it should be remembered that the physical security of a call center that accepts credit card payments over the phone is also covered by the PCI DSS.

What are the Security Risks in Credit Card Payments over the Phone?

Credit card transactions by phone present two opportunities for attackers. Credit card transactions by phone are a source for collecting sensitive data and a target for using these stolen cards.

Both of these risks increase as attackers target phone-based payment systems as the weak link in the payment chain. While chip and pin protect brick-and-mortar institutions and online transactions can be secured using 3D Secure, phone payments remain vulnerable.

Having an agent access sensitive credit card data overhearing a customer being spoken to hack into a CRM or ERP system puts you at risk of fraud. This risk is even greater if customer service calls are recorded, for example, for quality assurance.

These fraud risks should not be underestimated. PCI-DSS standards are intended to assess, prevent and manage these risks at the cost and responsibility of organizations. Examples of fraud can be found in any industry sector.

Personnel who receive account data via a telephone handset or a computer screen can use various techniques to obtain and record this data, from writing down details on a piece of paper or a mobile device to using keylogging or recording equipment. Additionally, audio signals can be intercepted in transit, and an attacker can convert the audio into data.

There are certified PTS Devices for brick-and-mortar businesses that provide vital protection for payment data and leverage EMV chip, mobile and contactless technologies.

The safest way to receive credit card payments over the phone is not manually entering, storing, or managing sensitive data. The best way to comply with the PCI Data Security Standard is to remove the payment item from the search altogether.

If your customers don’t read their payment information over the phone, your agents can’t hear, write, or forward sensitive information. If agents do not enter sensitive payment information on the desktop, this excludes both the desktop and the network from PCI-DSS.

For attackers to succeed in their fraudulent activities, they must have both the card number and the CVV number, along with important information such as name and street address. Therefore, it is recommended not to save CVV numbers during calls.

However, for businesses that take credit card payments over the phone, and especially companies that use call recording, not having their CVV numbers recorded can be challenging. Most companies use one of the following solutions when taking credit card payments over the phone:

  • Phone call recording is paused and resumed while the customer provides credit card information.
  • The phone call is muted, or the credit card information is masked when the customer provides their credit card information.
  • Keypad payments are used where card details are entered on the keypad. There is no need to halt the phone call at any moment in this manner.

Unfortunately, the first and second methods are not entirely reliable. Most such solutions rely on having the agent pause or mute the audio or call recording, and as with any manual action, there is always a risk of human error.

The third option is the most secure and provides an effective solution to credit card payments over the phone. It captures the card number and CV2 entered by the customer using the telephone keypad, and the agent remains on the call. For the card number and CVV, the voice on the agent direction is automatically blocked.

The PCI SSC recommends that the most effective methods available for securing phone payments can be found in DTMF masking, as outlined in its Guide to Protecting Phone-Based Card Payments. The DTMF masking solution enables customers to enter their card payment numbers individually and directly on their telephone keypads instead of reading them out loud to an agent on the line.

Because all DTMF tones are masked, payment details cannot be accidentally captured in call records or interpreted by agents. Additionally, agents can stay in touch with callers throughout the entire call duration as they use keypads to make payments and provide support and instructions regarding the check-in process.

Because all sensitive payment information is transmitted directly to the payment service provider (PSP), no sensitive payment data enters the contact center organization, significantly reducing the scope of PCI DSS compliance.

In this way, if the customer reads the card information aloud while entering their entries using the telephone keypad, the agent and the call recording system are prevented from catching these sensitive details.

How to Stay PCI Compliant in Phone Order Transactions?

Despite the growth of online payments, credit card payments by phone are still in great demand. Allowing clients to make card payments over the phone will enable them to ask queries that would otherwise be hidden in lengthy terms and conditions paperwork.

If something goes wrong, customers may rest assured that they have a record of who they spoke with rather than a massive list of referral numbers and letters.

If you want to evaluate your current customer retention strategies based on user behavior, allowing customers to chat with a human during the checkout process will yield positive results.

Telephone checkouts also offer businesses the opportunity to capture instant purchases that result in faster sales cycles. Online and in-store purchases frequently allow a customer to ponder and maybe reject a purchase.

It’s worth noting that the PCI DSS states that the three- or four-digit code (CVV2, CVC2, CID, or CAV2) printed on the back of the card cannot be saved after authorization. But the full recording of phone calls could mean that companies unintentionally retain these details without knowing them.

By taking care of both the human and digital elements in your phone ordering system, you can ensure your PCI compliance and your customers’ data stay safe and secure at all times.

Keep Your Network Secure.

It is essential to ensure that the entire network system complies with PCI requirements. Network security starts with an effective firewall and router and internal processes that provide additional layers of protection. All traffic from unsecured networks and hosts should be throttled, and there should never be direct access between any network component containing cardholder data and the Internet.

PCI compliance requires a significant amount of network security. Outside of the purview of PCI, cardholder data must be safeguarded against untrusted networks. It is not mandatory to implement network partitioning, but if it is not partitioned, the entire network and all system components are covered.

After determining your PCI scope and segmentation, you must apply hardened configurations to all system components. You should also regularly test your infrastructure with vulnerability scans and penetration tests.

Understand Your Scope and Data Flow.

Make sure you’re clear on what PCI DSS compliance requires. Phone payments can flow beyond your network if you’re utilizing an IP-based phone system, as previously mentioned. Order entry systems where payment card data is entered, the network segments they travel to, and any connected systems that are not adequately segmented are within the scope of PCI.

Call recording systems are in PCI scope if they record all of the payment card information.

Never Overwrite Card Information on Paper Receipts.

It can be easier and more tempting for your reps to jot down a number on a post-it while on the phone and then process the order. On the other hand, notes like this are not secure and may expose you to data loss.

To deal with incidents where it may be necessary to write down credit card information, you may want to consider giving each agent an erasable whiteboard. These boards should be fixed to your agents’ desks and cleaned regularly.

Instead, it’s always best to enter credit card information directly into your payment processing system. This allows you to adequately protect customer orders and use a method not subject to accidental errors.

If payment card details are written on order forms as part of the workaround process, ensure that the forms are rearranged or shredded appropriately after order entry.

Use a PCI Compliant Phone System Infrastructure.

Call records containing payment card information must be protected with access controls, network segmentation, and encryption. If CVV is saved, PCI has a concern since, even if it is fully protected and encrypted, CVV should not be kept after permission.

Make sure there’s a means to rectify credit card information if your company records client calls. Ideally, your call records will use a system integrated with the order entry system and pause the recording when the agent arrives at the payment page and resume recording after the card is entered.

So invest in a PCI-compliant phone payment system with the latest security technology. Choose a payment processor and hardware vendor that is both reputable and highly experienced in your industry and working with mail-order merchants.

Manual pause and resume should be subjected to periodic due diligence to ensure the pause is functional to avoid saving payment card data.

Reduce Phone Order Entry System Scope.

When agents receive payment card data, they must enter the card number into an application, such as an order entry system. The order entry system can be the beginning of the full payment card number propagation.

Note that the full card number is within the scope of PCI wherever it goes. If the full card data is stored, the data must be protected by access control, encryption, logging, and monitoring, among other things.

Configure your order entry system to link directly to payment processors if at all possible. As a result, your system components never contain the complete card number. You can also reduce your PCI coverage by using an Iframe connection or entering the payment card numbers on the interaction point devices, immediately encrypt the payment card information.

Create a “No Cell Phone” Rule.

Cell phones used by your employees in your call centers can be a source of data leaks. Malicious agents can use their phones to capture customers’ card data. By prohibiting personal mobile phones in the workplace, you can prevent the transfer of sensitive data to an employee’s phone.

Educate All Employees on Secure Procedures.

Each employee’s training should include a summary of all processes required for PCI compliance. For example, make sure your employees understand that they should not use each other’s login credentials and should protect their passwords.

Explain to your employees why security requirements exist for credit card phone orders during training. Also, describe the penalties for both your company and your employees if security requirements are not met.

Follow Employee Procedures and Conduct Refresher Courses.

Refresher courses can aid in the retention of rules that apply to people who work on phones. It’s also important to double-check that procedures are being followed regularly. They are less prone to lapse into poor yet suitable habits when routinely reminded.

You should have a procedure for dealing with employees who engage in risky behavior. The combination of retraining and disciplinary action should be written into employee handbooks and implemented as needed to keep all data safe.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Your 12-Step PCI DSS Compliance Checklist

PCI consistency is expected for any organization that acknowledges credit card installments. PCI additionally applies to any association that can affect the security of installment card exchanges.

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Related posts

Latest posts

Your 12-Step PCI DSS Compliance Checklist

PCI consistency is expected for any organization that acknowledges credit card installments. PCI additionally applies to any association that can affect the security of installment card exchanges.

What’s New in PCI DSS v4.0?

PCI DSS v4.0 replaces PCI DSS version 3.2.1 to address emerging threats and technologies better and provide innovative ways to combat new threats.

Firewall Rule Configuration Best Practices

When it comes to securing firewall rules, firewalls have a sensible procedure to follow. Whether you're upgrading hardware or establishing a whole new environment, the order of the procedures will differ.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!