Paytia's guides, publications and blogs will tell you everything you need to know about PCI compliance and payment security

Paytia Blog

Paytia telephone payments simple and secure

What the PCI DSS compliance twelve requirements ask of your business

Card fraud is damaging for everyone; for customers who have to negotiate getting their stolen money recompensated, the merchants who suffer financial and reputational damage following a data breach, and even society at large, when profits made by these criminals go to fund other anti-social activities such as drug smuggling and terrorism.

Happily, by ensuring that your enterprise achieves PCI DSS compliance, you can help to play your part in reducing the instances of fraud. If you process card transactions or deal with customer's financial details, you must ensure that you are fully compliant, as the repercussions for failing to do so can be significant, and range from heavy fines to being denied the ability to take card payments.

Four Levels of compliance

There are four tiers, and twelve requirements for meeting PCI DSS compliance. The highest tier, Level One, is for organisations making the greatest number number of card transactions in a year (usually over six million, depending on chosen card payment), or for places where data breaches have occurred in the past, whilst the lowest Level Four is for those processing up to 20,000 card transactions annually.

Level One compliance involves yearly on-site audits and network scans, whilst for the lower tier organisations, a self-assessment questionnaire is required. However, every organisation looking to achieve compliance is directed to the key framework of twelve requirements, irrespective as to which Level they may be classified.

The Twelve Requirements: a framework for compliance

The first requirement is having a firewall in place. A properly configured and maintained firewall is effective protection for your system, and therefore your customers' valuable data. It's important to install both hardware and software firewalls, as each has an important part to play in your security measures. Hardware firewalls offer the greatest security for your network, whilst software firewalls offer vital defence against threats found through employee mobile devices or emails.

The second requirement mandates that you look at passwords and settings, particularly for items such as routers and third-party software, that usually come ready to use with factory default settings and access codes. It's best to assign someone to inventory all passwords and settings to ensure that they aren't set to the originals. This must be applied to every system and every device used in your enterprise.

Requirement Three means ensuring that any card data you store is encrypted. If you aren't sure if your system stores this information, you need to check, as you will be asked to draw up a flow diagram showing how card data is handled by your organisation. Software such as PANscan or Pllscan can help you track down card data in order to securely encrypt it, or delete as necessary.

The fourth requirement follows on from this, as it involves looking at encryption for card data as it is transferred across public networks. Tools such as PCI DSS encryption key management can help you achieve optimal security.

The fifth requirement asks you to maintain anti-virus software. It must be installed across all systems or devices susceptible to malware, and be updated regularly. Part of achieving compliance is demonstrating a commitment to your security, so it's important to be proactive and stay aware of any new malware threats, so that you can configure your defences appropriately.

Requirement Six involves being attentive to any dangerous security holes, so that they can be patched as soon as possible. The regular updates mentioned in Requirement Five will help to keep you protected, and your security software vendor should be able to send you notifications when you need to patch or upgrade.

Requirements Seven to Nine involve your employees. Make sure that access to card data is restricted, both via systems and to the physical machines where the information may be accessed if stolen. Ensure each employee has a unique password and user ID, with multi-factor authentication being used.

Perhaps the most important requirement, number Ten deals with system event logging. Failure to comply with this requirement has led to a significant number of data breaches, so it's vital to pay attention to any flagged incidents and deal with them fast. You should review incident logs at least once a day, and show that you have a robust process for dealing with any anomalies that may arise. Software such as log management systems can help you stay ahead of any threats.

Requirement Eleven insists upon vulnerability scans and penetration tests, and follows on from Requirement Six, as these tests can show if any patches have been fully successful. The frequency with which you are asked to perform these tests will depend on which Level your organisation sits within.

The twelfth and final requirement instructs you to keep all evidence and documentation relating to your security measures, and includes employee manuals, third-party vendor contracts, and your incident response strategies. You are also required to carry out an annual risk assessment, which is designed to help you improve your security practices going forward.

The compliance process may seem daunting, but achieving optimal security can only be of benefit to your organisation. With the availability of third-party payment services using tokenisation and automated telephone card processing, it's easy to integrate processes that ensure compliance.

Picture of Curtis Nash
Curtis Nash 02-Dec-2020 16:14:46

What the PCI DSS compliance twelve requirements ask of your business

Why you should care about PCI DSS compliance

If your business or organisation takes payment by card or handles customers' financial information, you need to make sure that you are PCI DSS compliant. It doesn't matter if you head up a worldwide retail giant or are a sole trader with strictly local customer base: once you decide to accept cards such as Visa or Mastercard, the rules of PCI DSS apply to you.

PCI DSS, or Payment Card Industry Data Security Standards, is the universal mandate for any organisation that processes card transactions or deals with customer card details. There are twelve core requirements for PCI DSS compliance, and the process of achieving them may well seem daunting.

There are other obligations, too, with yearly on-site audits for the largest traders classed as Level One, and Self-Assessment Questionnaires for the other tiers, in addition to essential system scans and evidenced commitment to your organisation's data security. With that in mind, it's important to remember why PCI DSS compliance was created in the first place, and why it still plays such an essential role today.

Why PCI DSS was born

Back in the early days of the twenty-first century, the new boom in internet shopping was great news for retailers and other businesses which had already made the transition to trading online. Unfortunately, the new field of e-commerce also proved to be great news for criminals who were quick to exploit the web for fraudulent gain.

The answer to this threat came in the form of a set of standards intended to maximise the security of online financial transactions, with Visa spearheading the campaign with the creation of a Cardholder Information Security Program (CISP). Other credit card providers followed suit, with Mastercard, American Express and others all launching their own security protocols before long.

Naturally, with many businesses accepting more than one card, brands were quickly faced with a logistical and administrative nightmare as they had to satisfy the varying security requirements of each and every card provider. This confusion led to the independent PCI SSC (Payment Card Institute Security Standards Council) being set up, and the first PCI DSS universal compliance requirements were created.

How PCI DSS compliance benefits you

Fraud is bad news for everyone. Whilst individuals may get their money back eventually, the stark facts from UK Finance show that the criminals who profit from stolen data go on to fund other illegal activities that harm our society at large, from drug dealing to people trafficking and even terrorism. For the business owner, card fraud can cost significant sums through chargebacks from payment processing institutions. There are substantial fines if PCI DSS has not been adhered to, as well as other damages that are harder to quantify, such as reputational harm. It, therefore, makes sense to ensure that your business is fully compliant, and the following reasons emphasise this.

PCI DSS compliance protects you

Picture of Curtis Nash
Curtis Nash 11-Nov-2020 15:19:26

Why you should care about PCI DSS compliance

Taking card details over the phone: how to keep your customers data safe

It's an unfortunate fact that with the increasingly digitised nature of today's trading environment, there is also the constant spectre of threat from cyber criminals looking to capitalise on your customers' valuable personal data, with the number of attacks rising year on year.

With so many stringent financial regulations for businesses to adhere to, the whole question of taking payments securely and managing card details can seem fraught with the potential for disaster. Luckily, there are some simple steps that can be taken today, which will help alleviate your concerns and allow you to keep trading with confidence.

Although there have never been so many payment options available, many of the older generations still prefer to pay over the telephone. Even though paying via an online portal is simple and secure, the familiarity and control felt by such customers when able to pay over the telephone makes it a useful way to enhance their experience with your brand and to keep their loyalty. Allowing telephone payments can also be important for visually impaired customers, and others.

The onus, therefore, is on your organisation to find an effective means of establishing a secure, customer-friendly process for handling these payments.

Making Contact Centres Secure

One of the primary difficulties with taking telephone payments is that it can be difficult to assess who will have access to the financial details taken, and customers may rightly feel hesitant about sharing such information, especially in the light of recent high-profile data breaches. This is where online payment methods, and the perception of anonymity they afford, can be seen to have the advantage.

However, steps can be taken to ensure that telephone payments can also be made securely, and in a way that actively builds on your organisation's reputational trust.

For businesses large enough to operate their own contact centres, the need for appropriate financial security measures is, of course, paramount. Contact centres are an excellent means of continuing your branding and ensuring that customers receive an optimal service experience, and a set of strong protocols for handling customer data will enhance this.

Customers may call your centre, or interact via live chat, but if payment is handled over either of these mediums, the transaction is classified as card or cardholder not present (CNP), and as such must adhere to PSI DSS compliance regulations. These compliance requirements may be harder to meet now that many contact centre staff are now working from home.

Taking advantage of an automated service can ensure this vital compliance, as your customer service team member can simply transfer the customer to a secure line where they can enter their card details. It's quick and seamless and means that your staff avoid having to deal with sensitive personal financial information. This offers both you and your customers valuable peace of mind.

In these new days of remote working, where guaranteeing compliance may be a significant challenge, it's an especially valuable service to consider. It's also good practice to have customer calls recorded, as this engenders transparency in the way in which transactions are conducted, and helps you to shape any future protocols.

Maintaining customer data

If your organisation offers subscriptions or other card-on-file services, you will need to be especially mindful of security. The requirements relating to GPDR and compliance mean that its best to sign up to a third-party service that negates the need for you to handle card details at all. Instead, these services operate a vault and token system, whereby they hold the customer's card details securely, and you can bill their account by using a token linked to it. This token is unique to your organisation, and cannot be used to access or process payments from your customer's card elsewhere, making it extremely secure.

Prevention is key

Anyone can fall victim to a data breach, as the last few years have proved, with major airlines and telecoms firms in the news and suffering catastrophic losses from cyber attacks. Simply reacting to a security breach isn't good enough: your organisation needs to have preventative strategies in place if you hope to keep your customers' financial data secure. The best strategy of all is to choose solutions that take away the need for you to enter or store customer card details.

Rather than stop accepting telephone payments, or end any subscription billing services, why not look at the option of working with third-party providers. Taking advantage of automated services can give your organisation the edge in providing a secure, seamless telephone payment platform that helps to build valuable trust with your customers. These services can not only offer security, but also greater efficiency and swifter order processing, another substantial benefit for those buying from you.

Furthermore, such services can save you significant sums of money, as by removing the handling of sensitive financial data, you may sidestep the requirements for meeting PSI DSS compliance regulations.

Picture of Curtis Nash
Curtis Nash 04-Nov-2020 16:07:53

Taking card details over the phone: how to keep your customers data safe

What you need to know about MOTO payments

When you're looking to start trading online, or perhaps expanding into home delivery or other services, it's vital that you understand how different types of payment could affect your business. Some payment types are categorised as card-not-present (CNP) transactions, and, as such, are governed by a particular set of rules.

CNP transactions are those which are processed without the merchant having physical access to the card's chip for scanning or swiping. They can include payments made online, over the telephone, via fax or by post.

As the merchant will not be able to look at the card, such transactions carry a heightened potential for fraud. Furthermore, if a cardholder claims that a fraudulent CNP payment has been made, the merchant will be held liable and often have to pay a chargeback fee to their bank. These fees can be significant sums, especially for smaller organisations. It is, therefore, crucial to ensure that security protocols are carefully followed by all staff if you decide to accept CNP payments.

How MOTO differs from e-commerce transactions

It's important to understand that not all card-not-present transactions are treated in the same way under the law. E-commerce transactions, for example, whilst taking place where the customer's card is not in front of you, do not count as MOTO transactions.
This can essentially be summed up with this simple analogy of coffee and cappuccino. Every cup of cappuccino is a coffee, but not every coffee is a cappuccino. In this way, every MOTO transaction is a card-not-present transaction, but not all card-not-present transactions are MOTO.

MOTO stands for Mail Order Telephone Order, and covers transactions whereby the merchant accepts payment or card details over the telephone, or in written form such as via email, fax or post. The merchant then enters these details into their payment system in order to process the charge. This is the key distinguishing feature of MOTO transactions, as other card-not-present payments such as via a website, require that the customer is the one to enter their card details.

The benefits of MOTO transactions

Offering your customers the opportunity to pay over the telephone can certainly be a great advantage for your business. It's a smart choice for making sure that you don't miss out on sales even if your customer cannot visit you in person, and offers convenience for immediate payment of invoices.

MOTO transactions are used by a wide variety of organisations, such as property management companies, hotels, restaurants, membership associations, schools and universities. Since the pandemic and subsequent lockdown shut down many bricks and mortar businesses, there has also been a marked increase in merchants beginning to offer MOTO payments for delivering their products, particularly for those which do not have a website equipped to process online sales.

Such MOTO transactions can be quick and easy for both you and your customers, and are very popular with older people who may not feel confident paying online. They allow you the opportunity to engage with your customer and deliver a great customer service experience. When delivered effectively, MOTO transactions can be extremely secure, offering peace of mind for everyone involved. MOTO transactions can be linked up to accountancy applications such as QuickBooks, enabling seamless record-keeping with minimal staff input required.

How to take safe MOTO payments

It's important to take steps to make sure that MOTO transactions are secure and transparent. Recording telephone calls is a useful practice, as it means that there will be a way to trace every processed payment, which helps to meet compliance regulations. Whilst it's a fact that there is a significant threat of card-not-present fraud associated with MOTO transactions, fortunately, there are now services available that can protect your business from the risk.

Advances in Artificial Intelligence (AI) technology have been applied to make automated payment methods safer and more seamless than ever, and such services can even remove the liability for the merchant in the case of fraud claims. These services mean that when a customer wishes to make a payment over the telephone, they can be transferred to a secure, fully automated line where they can enter their card details.

This removes the need for your staff to handle sensitive financial data, ensuring PSI DSS compliance is met, and takes away the liability for any later chargebacks. Payments can be processed quickly and efficiently, and your records updated immediately. This kind of service is especially useful for businesses which wish to continue to meet compliance regulations and ensure that data security is maintained now that their customer service teams are working from home.

It's clear that offering MOTO payments can be a useful addition to a range of organisations, and it's never been easier to make sure that such payments can be made simply and securely. This offers both you and your customers the best of both worlds: a great personalised experience, alongside the peace of mind that comes from knowing that the risk of fraud is minimised.

Picture of Curtis Nash
Curtis Nash 28-Oct-2020 15:00:00

What you need to know about MOTO payments

Why Taking Card Payments Can Help to Grow Your Business

In today's trading environment, being able to accept cards for payment can be a great asset to your business, no matter how small your enterprise may be.

Since the Covid-19 pandemic, digitisation has become a crucial factor for ensuring that businesses survive and thrive in the future, and this is not just limited to the big players. With lockdown having driven customer engagement online, and the prospect of face-to-face trading being limited for the foreseeable future, it makes sense for anyone looking to protect their business.

Not only is enabling payment by card more hygienic than cash (a vital consideration at present), but it can expand your organisation's horizons, and help it to flourish.

Accepting card payments can drive business

If you're on the front line of customer service, you will doubtless have been asked by prospective customers if you take card payments. If you don't, this could mean that you are losing sales. Card and other cashless payments have overtaken cash transactions in the last five years, and it's becoming increasingly expected that even sole traders at small village fairs will now have card processing capabilities.

By only accepting cash, you limit your sales potential both in terms of opportunity (e.g. when you are physically present to take the money), and in transaction value, as your customer's purchasing power is necessarily limited by the amount of cash they are carrying, leaving little leeway for add-on or spontaneous purchases.

In fact, UK Finance discovered that as many as 85% of purchases were impulse buys, meaning that if you don't accept cards, you could be significantly limiting your opportunities for profit. Showing that you accept card payments can help to improve customer perceptions of your business, too, with prospective shoppers feeling reassured that yours is an authentic, trustworthy enterprise.

Showing that you are associated with well-known financial brands such as Visa or Mastercard builds confidence for consumers, which is a valuable business driver in itself. There have never been so many easy and affordable options available for accepting card or other cashless payments, with solutions available to suit any business scenario.

The number of takeaways and other businesses that have started offering delivery services has greatly multiplied since lockdown, and telephone orders often take place where a fully transaction-ready website is not in place. Such telephone transactions are classed as card or cardholder not present (CNP), and all you need to get started is a virtual terminal.

Whilst there are ample virtual terminal providers available to enable your business to process these sales, it's worth exploring the benefits of a service offering a Secure Virtual Terminal. That's because taking payments where the merchant, rather than the customer, is keying in the card details can leave you exposed if fraud were to take place.

Fraudulent transactions can cost your organisation in chargeback fees, but you can reduce this risk by taking out a Secure Virtual Terminal service that uses technology to authenticate and anonymise the process. Automated telephone services that use the latest in Artificial Intelligence (AI) technology mean that the card details are not held in your company records, allowing you to avoid onerous compliance requirements. It's fast, simple, and safer for you and your customers.

The benefits of accepting card payments: why it makes sense

Many small businesses are discouraged from accepting card payments because they believe it will mean complications in record keeping, or incur prohibitive running costs. In fact, nothing could be further from the truth.

Opening up your business to card payments brings many advantages, from saving time chasing payments or reducing any cash flow issues as you wait for invoices to be paid. Instead, by taking immediate card payments, you can be reassured that the funds will reach your account in just 3-5 days. The administration involved is minimal, with modern card machines able to print off each day's records, ready for your files.

There is no need for bulky hardware or expensive infrastructure, either: modern methods of processing card payments simply require broadband internet access or a telephone line. Card payments also reduce your need to manage security for sums of cash on your premises, and the payment process itself comes with the reassurance of stringent security measures. More advanced payment safeguards (such as fraud prevention protocols) can be taken in hand for you, too, with many different packages available.

Taking card payments may indeed come with some ongoing service charges, but this should be mitigated by the increased revenue gained by opening up this new payment channel. You may save on overdraft or loan fees as you will no longer be reliant on chasing up invoices, thereby freeing up your cash flow. Furthermore, your time has its value too, and taking card payments will free up valuable hours previously spent on banking runs.

A smart decision

It's clear, then, that the benefits of accepting card payments can be significant for your business. With different options available, there is sure to be a payment processing solution that can suit your needs without breaking your budget. The advantages in terms of increased sales potential, security, and time saving all mean that card payments can play a significant role in ensuring longevity and success for your business.

Picture of Curtis Nash
Curtis Nash 20-Oct-2020 09:30:00

Why Taking Card Payments Can Help to Grow Your Business

Preventing Fraud When Taking Payments Over the Phone

When it comes to taking card payments, there are essentially two categories: electronic (for example, contactless, or chip and pin machine methods), and manual, keyed entry, also known as card (or cardholder) not present. The latter is something of a misnomer, as it applies even if you are reading off your customer's card whilst they stand in front of you.

Thanks to the boom in online shopping and app sales, there are a great many situations that require keyed entry. Anytime a customer buys from your website, or takes out a subscription to one of your services, this becomes a cardholder not present transaction. This is in addition to transactions such as mail order/telephone order (MOTO) payments, digital invoices (including payment links), and card-on-file payments.

What you need to know about taking card payments

So why does this matter? After all, you can get software to accept and process these payments, and your customers are able to buy quickly and easily, often with a simple click of that “Buy now” button. Card not present transactions are a regular and reliable feature of our modern trading landscape.

In fact, paying attention to keyed entry transactions matters a great deal if you are the merchant. This is down to one important distinction between transactions where the card details have been entered by the customer, and those where the details have been entered by the merchant.

Many of the latter transactions rely on virtual terminals, secure web pages that you can access whilst logged into your payment service provider account, and then enter customer card details manually. And if you are using a virtual terminal to take payments over the telephone or through live chat, or managing card-on-file payments, you are subject to PCI DSS compliance.

PCI DSS compliance involves extensive paperwork and annual costs, but helps to improve vital security standards. Failure to comply can lead to data breaches, and, subsequently, fines and significant damage to your business' reputation.

Fraud: minimising your risk

Unfortunately, card not present fraud accounts for 68% of all UK debit and credit card fraud, and if a cardholder discovers a fraudulent payment has been made to your business, you will be issued a chargeback by your payment processing provider, leaving you out of pocket. This can prove costly, but fortunately there are ways in which you can protect yourself and your business.

Take advantage of fraud-screening tools to help avoid potentially criminal transactions, such as an external payment gateway. Offered by many card issuers (such as Verified by Visa or Mastercard SecureCode), an external payment gateway helps to authenticate cardholder identity, often requiring that the cardholder enters a password. This furthermore takes the liability away from the merchant in case of fraud being claimed later, meaning that chargebacks are avoided.

When taking payments, it's wise to protect yourself by taking extra details beyond the card number, such as the CV2 number, expiry date, full cardholder name or billing address. Information such as the cardholder's email address can also assist in verification, and it's good practice to have customers fill in an online form with such details if you are trading online. It's also crucial to make sure that times, dates and transaction numbers are stored for your records.

Another means of minimising the risk of fraud is the use of Address Verification Service (AVS), which entails checking for the customer's billing address details in order to achieve validation. It's usually performed by the card issuer via telephone. Whilst the UK is currently the only country in Europe able to use this service, it's extremely popular in the USA, which suggests that its use may well become more prevalent in the future.

Making transactions run smoothly

In order to make sure that your MOTO transactions are as secure as possible, it pays to adhere to these simple precautions. In the first instance, make sure that you have a virtual terminal in place. Whilst many companies offer this service, it's worth choosing a provider that can offer you valuable additional benefits, such as secure automated payment telephone capabilities. This means that your customer can enter their card details via their phone's keypad rather than reading out to a member of your team. This has the additional advantage of ensuring PCI DSS compliance immediately, as it negates your need to store sensitive card details.

Cardholder not present payments can be a popular target for fraudsters these days. Thankfully, there are now ample services and products available to make keyed entry transactions safer than ever. This is vitally important because it helps build customer trust, as well as ensuring that you are compliant with essential PCI DSS. Today, many virtual terminal providers take care of PCI DSS for you, and it's certainly worth exploring what options are available to you when choosing a package.

Picture of Curtis Nash
Curtis Nash 14-Oct-2020 16:30:00

Preventing Fraud When Taking Payments Over the Phone


Get started with Paytia

Contact Paytia

If you have any questions relating to a Paytia product or payment security in general, please get in touch.