Less relevant regulations
While PCI-DSS compliance is the only protocol governing MOTO payments directly, you may wonder whether general rules for the payment industry apply as well. Let’s go through the big ones.
Payment Services Regulations (PSD2)
In 2019, new card authentication regulations, PSD2, were introduced in Europe. It demands a new standard called Strong Customer Authentication (SCA), but it only applies to customer-initiated online payments.
Because the merchant processes the payment on behalf of the customer, over-the-phone transactions are considered merchant-initiated. Therefore, they don’t require SCA, and the PSD2 does not apply to them.
However, the cardholder’s bank decides whether to accept or reject a phone payment based on a risk assessment of it. Banks have to comply with PSD2, meaning that only transactions qualifying for an exemption of SCA (like phone payments) can be accepted without SCA.
It is up to your virtual terminal provider to clearly mark your telephone payments for this exemption, which they may decide to do only if you comply with PCI-DSS or have certain secure transaction processes in place.