Curtis Nash

I have had more than twenty-five years of experience in innovative software businesses. I have founded multiple companies and served in executive technical, operational, and business development positions both in the UK and the US. My specialities include, technology commercialisation, start-up mentorship, strategic partnership business development, deal structuring and execution, technology investment and company turnaround.

Taking Credit Card Payments Over The Phone Regulations UK

With the rapid growth of online retailing, we've seen an accompanying increase in the resourcefulness and ingenuity of criminals. Our credit card details are immensely valuable and every time we use them we run the risk that someone will find a way to steal them. The experience may be rarer than most of us think but it remains a constant threat.

Making a payment by credit card over the phone has its own unique security issues. Such payments are called cardholder-not-present (CNP) transactions and specific standards and regulations attach to them for the purpose of protecting consumer rights.

PCI-DSS

The most significant and furthest-reaching of these is the Payment Card Industry Data Security Standard (PCI-DSS). While this is a standard rather than a law, it is mandated by the credit card industry and realistically no responsible business would attempt to take credit card phone payments without conforming to it. Apart from anything else, consumers would be unlikely to trust such a business: if there is a standard for protection why not adopt it?

The PCI-DSS imposes stringent and comprehensive requirements for any merchant who is handling sensitive credit card information. This applies not just to in-person purchases but also to those conducted over the phone, known as Mail Order/Telephone Order (MOTO) transactions.

The standard lays down twelve conditions, both operational and technical. These include obligations such as the use of firewalls and other measures of protection for cardholder data, encryption of data, anti-virus software, properly maintained secure systems and applications as well as regular testing of those systems.

Merchants must ensure restricted access to cardholder data to prevent it from being more widely disseminated than is absolutely necessary - those with authorisation must be given a unique ID and physical access must also be restricted. A system must be established to track and monitor all access to the network in general and the cardholder data in particular. Finally, as an over-arching measure, the business needs to maintain a security policy that is fully understood and followed by all personnel.

 

PCI Compliance Guide

Payment Services Regulations

The PCI-DSS is the only protocol in place that specifically addresses MOTO transactions, but it's worth considering the ways in which the Payment Services Regulations (PSD2) might affect a seller. This requires merchants to meet a standard called Strong Customer Authentication (SCA) but applies only to online payments that are initiated by the customer. A MOTO transaction is considered to be initiated by the merchant so the SCA requirement does not apply. However, the merchant's bank does have to comply with PSD2 so it may carry out a risk assessment on any phone transaction and will only accept it if it carries an exemption from SCA.

TAKING PAYMENT OVER THE PHONE GDPR

The EU's General Data Protection Regulation (GDPR) further governs the processing of personal data. It requires the use of data to be transparent, fair, for only legitimate purposes and limited to what is absolutely necessary. Anyone whose details are stored can ask what information a company holds and must consent to its use beyond its original purpose.

All breaches must be recorded and data protection impact assessments performed in relation to new projects or changes to existing practices. The holder of the data remains responsible for it when it is transferred within the company or to a third party. As with the PCI-DSS, all personnel must be kept fully apprised of the company's systems and obligations.

That sounds like a whole series of headaches. Fortunately by using Paytia's Secure Virtual Terminal, you are not only adopting a simple and effective means of taking payments over the phone, but you are also gaining the support of a system of payment and accounting that is already fully compliant with PCI-DSS and GDPR as well as being SCA-ready. It couldn't be simpler to meet all your regulatory obligations while enjoying all the benefits of a versatile, fully international payment platform.

 

Discover Secure Virtual Terminal

How to Take Credit Card Payments by Phone

It's such a common practice that we scarcely think about the mechanics of the process or the...

Benefits of payment by phone

In many ways, the telephone call is the ideal way to talk to your customers - because it is more...

Accepting telephone payments

Gone - in fact, long gone - are the days of businesses built purely on walk-in trade.

High streets...

The security-compliance risks of home-working

One year after the first lockdown, almost half of businesses plan tocontinue allowing team members...

Working from home? No, you can't keep card details on a Post-IT!

Our data privacy and security laws were drafted with traditional offices and computers in mind, but...

What the twelve requirements of PCI DSS compliance ask of your business

Card fraud is damaging for everyone; for customers who have to negotiate getting their stolen money...

Why you should care about PCI DSS compliance

If your business or organisation takes payment by card or handles customers' financial information,...

Taking card details over the phone: how to keep your customers data safe

It's an unfortunate fact that with the increasingly digitised nature of today's trading...