When you’re running a small business, you need to make it easy for your potential customers to make a purchase from you. And sometimes that means accepting card payments by phone. But is it safe to do so? How can you ensure that your customers’ financial data is never compromised?
The implications for getting it wrong can be severe. For the customer, parting with card information over the telephone raises questions about the authenticity and veracity of the business in question. For the business owner, ensuring the safety of customer data is paramount. There are hundreds of scammers just waiting to intercept financial information for nefarious purposes.
Any breach in data security can have profound financial implications in the form of crippling fines and even the complete withdrawal of card services. Getting it wrong can have far-reaching effects on the profitability, and even the viability, of your business.
Keeping PCI compliant
PCI DSS was created to provide customers and businesses with safety measures when paying by credit or debit cards. Also known as the Payment Card Industry Data Security Standard, PCI DSS is designed to assure the safety of card payments.
PCI DSS requires businesses to conform to certain standards when storing, transmitting and processing data from credit and debit cards. This isn’t something that can be approached haphazardly. The standards set out a series of clearly-defined steps that ensure that the cardholder’s data is never compromised.
You could employ the services of a Qualified Security Assessor to determine the level of security required and help you to implement it, or you can opt to go it alone. However, bear in mind that there are strict fines for failing to comply with the regulations, so this isn’t something that can be done in a rush.
Start by establishing which level of compliance is appropriate for your particular business. You’ll then need to complete the relevant SAQ (Self-Assessment Questionnaire), together with an AOC (Attestation of Compliance). Copies of these documents must be submitted to all relevant payment providers and card issuers.
Not surprisingly, this creates quite a lengthy paper trail, but it’s possible to simplify the process by opting for a payment provider who is already certified as being PCI DSS compliant. This will allow you to access payment processing protocols with the minimum of fuss since all the necessary documentation will have already been carried out, saving you time and trouble.
Choose your payment provider
The majority of payment providers will already be PCI compliant, but some providers go that extra mile to provide extra levels of security. Fraud prevention is a primary concern, so some providers have introduced maximum limits for each phone transaction. In worst-case scenarios, this would prevent a scammer who has passed all necessary security checks, from completing a transaction above a certain value. Not all virtual terminal providers currently offer this service, but it’s something well worth considering.
Basic security processes
Nearly all card processing virtual terminals require the same security information; the 12-digit card number, the expiry date of the card and the CVV, also known as the security code. The software systems then ensure that the security code precisely matches the information that the card issuer holds for that particular card.
Some security checks also an AVS (Address Verification System). This may require authentication of part of the address to confirm that the cardholder is legitimate.
Experienced providers such as Paytia can offer additional support for phone transactions, ensuring that your staff are never in contact with sensitive card data.
Ensuring that your staff are fully up to speed is absolutely essential, particularly for employees who process payments by phone. It’s probably best to arrange for background checks for anyone processing payments, to make sure that they are trustworthy and reliable, but it’s also advisable to arrange for any necessary training in payment processing too.
When implementing staff training, consider the points that need to be raised regarding taking payments by phone in order to limit fraudulent transactions. For example, you should take a 'clean room' approach and ensure that employees never write down credit or debit card numbers, expiry dates and security codes. This sensitive information should never be stored in any way, either on paper or in electronic format.
It’s a good idea to create completely separate accounts for each member of staff. This enables you to look back over transactions and check who processed each one. This will quickly help to identify any irregular activity or practices.
Ensure that you never print a customer’s complete card details on receipts. The majority of payment providers automatically blank out all but the last four card digits, but this is something that you should ensure throughout every transaction. And if you find any documentation containing sensitive customer of payment information, make sure that it’s appropriately destroyed or shredded.
Finally, don’t neglect malware and spyware computer checks on a regular basis. Your computer antivirus software should be updated regularly too, to keep it working at maximum efficiency.