Can I take credit card payments over the phone? What do UK regulations say?

Many businesses take payments from customers who are not physically present.

A way to do this is over the telephone: you simply ask the cardholder for their credit card details which you enter into a virtual terminal on a computer or key in on a card machine that accepts card-not-present transactions.

But is it legal to take payments over the phone in the UK? The short answer is yes, but it comes with certain responsibilities for the business.

There is no law against over-the-phone payments in the United Kingdom, but businesses should be aware of certain standards, regulations and consumer rights affecting the legitimacy of a cardholder-not-present transaction.

Most relevant: PCI-DSS compliance

Payment Card Industry Data Security Standard (PCI-DSS) compliance concerns data privacy and security. PCI-DSS compliance is not a law, it’s a standard.

It ensures that proper processes are in place for handling sensitive card information, especially where it concerns the merchant receiving and storing these details manually. This applies to over-the-phone payments, also known as Mail Order/Telephone Order (MOTO) transactions.

Most virtual terminal providers require PCI-DSS compliance from their merchants to avoid problems with the acquiring bank that handles card processing. In fact, card schemes can fine acquirers for violating PCI-DSS rules, who in turn can suspend its merchants who failed to comply.

That is why you should always check if your virtual terminal solution requires you to set up PCI-DSS compliance yourself, or if the responsibility is handled by your provider.

Less relevant regulations

While PCI-DSS compliance is the only protocol governing MOTO payments directly, you may wonder whether general rules for the payment industry apply as well. Let’s go through the big ones.

Payment Services Regulations (PSD2)

In 2019, new card authentication regulations, PSD2, were introduced in Europe. It demands a new standard called Strong Customer Authentication (SCA), but it only applies to customer-initiated online payments.

Because the merchant processes the payment on behalf of the customer, over-the-phone transactions are considered merchant-initiated. Therefore, they don’t require SCA, and the PSD2 does not apply to them.

However, the cardholder’s bank decides whether to accept or reject a phone payment based on a risk assessment of it. Banks have to comply with PSD2, meaning that only transactions qualifying for an exemption of SCA (like phone payments) can be accepted without SCA.

It is up to your virtual terminal provider to clearly mark your telephone payments for this exemption, which they may decide to do only if you comply with PCI-DSS or have certain secure transaction processes in place.

Consumer rights

Certain consumer rights in the UK mean that all card transactions come with responsibilities for the merchant.

Cardholders can raise a dispute for transactions – including those done over the phone – to their card issuer, where the retailer did not provide the product or service, deliver on its own terms, or the transaction went ahead without the cardholder’s consent. This can result in a chargeback where the merchant is charged a fee and the full amount that was disputed.

The merchant should therefore be careful to get consent for each card transaction done over the phone. To avoid chargebacks, you should consequently get enough details from the customer to back up the consent. This could be the card security code, billing address, customer name as it appears on the card, etc.

If a credit (not debit) card is used for a £100+ transaction, section 75 of the Consumer Credit Act 1974 gives the consumer the right to claim back the money for a telephone transaction they did not clearly consent to.