Is it safe to take payments over the phone?

Security is a major consideration for most small business, and liability for fraudulent activity could come back to bite you if you don’t meet the strict standards of the Payment Card Industry. But with the right security processes in place, taking payments over the phone is extremely safe for both you and your customers.

How safe are phone payments?

The simpler answer is: phone payments are very safe as long as:

• The business/receiver uses certain standard security measures
• The payer has checked that the company they’re paying is legitimate

However, the answer gets more complicated if the receiver is not using standard security measures, and from the customer’s end – if there’s reason to doubt the legitimacy of the business they talking to on the phone.

While statistics show that card-not-present transactions have a higher rate of fraud than card machine payments, it is considered safe for legitimate customers to pass on card details to a legitimate business (the UK campaign Take Five is a helpful resource for consumer advice).

On the other hand, businesses taking phone payments should be wary that the details given to them are from a legitimate customer, as otherwise they can be liable for expensive chargeback fees from their payment provider.

Let’s look at what you can do to prevent this when taking phone payments.

PCI compliance

PCI compliance is the single most important thing that small businesses can do to maximise the security of all their card transactions. The so-called Payment Card Industry Data Security Standard (PCI DSS) was established to help businesses reduce fraud and process card payments securely.

The way PCI compliance works is that it sets certain requirements for the storage, transmission and processing of cardholder data. This includes different steps involving the people, policies and technologies your business uses to process payments.

To set it up, you can either pay to get the help of a PCI SSC-Qualified Security Assessor (QSA), pick a payment provider who’s doing the work for you, or go through the application steps yourself.

If you do it yourself, you should first find out which compliance “level” your business is categorised as. Check your acquirer bank, payment provider and/or card brands about their level categorisations, as these tend to vary between them. You then need to fill in the appropriate Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) documents afterwards, and submit these to the relevant acquirers, card brands or payment providers.

It requires a lot of paperwork and documentation from your end, but if you choose a PCI DSS-certified payment provider, perhaps you don’t need to go through any of this yourself. Whichever virtual terminal provider you choose, you can ask them what you should do to be compliant and take it from there.

Standard security systems

Almost all virtual terminals will request the same security information during payments. As well as the long card number and expiry date, you will be prompted for the card security code, sometimes called CVV or CVC. The virtual terminal provider will check whether the inputted security code matches the one the card issuer has on file for that card.

A secondary level of approval may come in the form of an address verification system (AVS). This anti-fraud system matches the numerical portion of the billing address (for example, house number and postcode) against the address that the card issuer has on file for the customer.

Create a business culture of security

Unfortunately, one of the weakest links in your company could be your staff – yourself included! Small business owners have a tendency to trust their employees more easily. Assumptions about your people can be very easy to make, and this is where standards often slip. Annual security awareness training and regular checks can help ensure that your staff know how to be safe and secure when processing transactions.

As an employer, you are responsible for training your staff on best practices in card data handling.

You should also consider conducting background checks as a precondition to employment to ensure that staff who appear perfect on paper don’t have any criminal skeletons lurking in their closets.

Pick your payment provider carefully

While most payment providers have the infrastructure in place to ensure they’re compliant with PCI rules and regulations, some take additional steps to ensure comprehensive fraud protection is provided as the standard.

For example, some providers impose maximum transaction limits on phone transactions. This means that as well as all the usual fraud prevention tools such as AVS and security codes, if a fraudster managed to slip through the early security measures, the amount spent in one transaction would be limited. Spending caps have only been introduced by a few virtual terminal providers, but they add an additional level of security to transactions.

Use your common sense

A lot of payment security really boils down to common sense. Some of our top tips include:

• Never store card numbers or security codes, either on paper or in an electronic document.
• Make sure that merchant receipts are not printed with your customer’s full card details on them. Normally, this will not be a problem as most payment providers make sure only the last four digits are displayed.
• Create separate login accounts for each of your staff so you can identify who processed which transactions.
• Run regular malware and spyware checks on your computer or mobile device and make sure your antivirus protection is robust and regularly updated.
• Ensure anything printed with customer or payment details is properly destroyed – ideally, cross-shredded.
• Encourage your staff to be vigilant. If anything seems ‘off’ about a payment, they shouldn’t be afraid to flag it up for concern.

Although it can be daunting to make or take phone payments, there are steps you can take to safeguard your customer’s data and give them, and yourself, peace of mind.