6 min read

Credit card payments over the phone laws: security considerations

Featured Image

Five years ago you could be forgiven for thinking that the use of the phone for engaging with customers was dead - a relic of the pre-e-commerce era. 

How things have changed. Increasingly businesses recognize that phone can play a key part of a multi-channel customer engagement, giving customers easy access to advice and help. Taking orders and payments on the same call is a natural extension offering even greater convenience for the customer, and for the merchant represents an opportunity to complete the sale.

Security is of course paramount. Global card fraud has tripled since 2011 to $32 billion according to analysts Merchant Savvy. Set against this, the moral and commercial imperatives to protect customer from fraud or card-data theft is clear.

The good news is that the governments and the payment industry make it clear what minimum measures merchants must adopt. The complication is that if you fail to comply your business could be heading for substantial fines. 

There are three regulations to be aware of if your business is taking card payments on the phone:

  1. The Payment-Card Industry Data-Security Standards (PCI DSS), which applies world-wide;
  2. Data-protection legislation such as GDPR, the UK Data-Protection Act (DPA) and the Californian Consumer Protection Act (CCPA);
  3. The European Payment Services Directive (PSD2), covering the Europe Economic Area and the UK.

This article will consider the impact and implications of these starting with PCI DSS.



What is PCI DSS?

Credit-card companies, American Express, Discover Financial Services, JCB International, Mastercard and Visa, established PCI DSS in 2006 in an effort to stem the rise in card fraud in particular from remote-card payments.


PCI DSS provides a common set of standards with which merchants accepting credit cards and other payment-processing organizations must comply to ensure consumers’ sensitive card data is protected during capture, transmission and storage.

What are the implications of non-compliance?

If you can't prove your PCI-DSS compliance then your business could face a number of negative consequences such as fines for failing to comply with the regulation ranging from $5,000 to $100,000 a month, and of course reputational damage.

Since this is an industry regulation, fines are imposed on you by your acquiring bank which is responsible for processing card payments on your behalf.

Your acquiring bank is, in turn, answerable to the PCI Security Standards Council. If one of their merchants is non-compliant, the bank will be liable for equivalent fines until the merchant is compliant.

How do you prove compliance to your bank?

Depending on the value of transactions you make, your bank will ask you to either self-certify or be independently audited by a qualified security assessor. (“QSA”) Most small to medium-sized businesses will fall into the former category.

Merchant requirements of PCI DSS

PCI DSS requires merchants and other payment processors to protect customer card data by meeting twelve requirements. These break down into over 300 sub-tasks which cover the gamut of people, processes and systems involved.

Outsourcing the problem

Don’t panic! The task of securing your business to take card payments on the phone can be simplified using a suitable cloud-based PCI-compliant service to protect cardholder data during a transaction and prevent from reaching your business. 

For example, instead of staff inputting customer card details into a third-party input screen, they use their phone keypad to communicate the data to an intermediary service that interacts with your bank to approve payment without that data reaching your business. Because such cloud services operate outside the boundaries of your business, 94% of your PCI DSS obligations are covered by your service provider. 

An example of the type of virtual terminal system used for this purpose is Paytia’s Secure Virtual Terminal. When you use a solution like this, the service provider should be able to provide you with certified documentation that explains what is and is not covered from a PCI-DSS-compliance perspective.


We cover the different solutions for accepting card payments on the phone in another blog.

Data-protection legislation

Much attention has been placed on the need for businesses to comply with data-protection rules such as the EU’s General Data-Protection Regulation (GDPR), the UK’s equivalent, the Data Protection Act, and California’s Consumer Protection Act (CCPA).

Taking steps to protect your customers’ card data is important in this regard. Card data is another item of personally identifiable information (“PII”) that, if a merchant was to capture and store it, would have to be managed according to their regulations. Like PCI DSS, a failure to adequately protect that data could result in considerable fines.

Again, the simple solution is to use a secure payment service that removes any need for you to collect card information in the first place.



The EU Payment Services Directive (PSD2)

The Payment Services Directive was devised to make electronic payments easy, efficient and more secure across Europe, and includes a requirement for merchants to enforce “Strong Customer Authentication”.

This requires merchants and their payment service providers — from payment intermediaries to acquiring banks and card issuers — processing card payments whether the customer is not present, to ensure the cardholder’s identity is verified at the point of payment using at least two of the following three elements:

  • Knowledge — something the customer knows such as a password or PIN
  • Possession — something the customer owns; for example a card, a phone or a hardware token
  • Inherence — something the customer is such as a fingerprint or face recognition

This is variously referred to as “two-factor” or “multi-factor” authentication (MFA). 3D Secure is a form of two-factor authentication applied and used for ecommerce online transactions.

This is applied to only certain types of payments. Phone-based transactions are one of four where strong customer authentication is not mandatory. These are:

  • Merchant Initiated Transactions (MITs) — Where a cardholder has pre-agreed (and pre-authenticated) a future transaction(s), and may not be available to authenticate at the time that it is initiated
  • Mail Order, Telephone Order (MOTO) — MOTO transactions are those made remotely, via mail or telephone
  • One-leg-out Transactions — Defined as those transactions where one of the issuer or acquirer is outside of the European Economic Area and UK
  • Anonymous Transactions — Customers do not need to complete SCA when an anonymous payment method is used, e.g. a gift card

Since Strong Customer Authentication is a process that is managed by the cardholder’s bank, it is important that you ensure card payments taken over the phone are flagged as “MOTO” payments by your payment service provider. If you are in any doubt on this, contact your PSP’s support team.


Where to get help

If want more in depth or specific advice on taking card payments on the phone — or in other scenarios — here are some useful sources:


  1. Your bank or payment service provider. Larger ones will have a security team available who can provide advice
  2. Payment Card Industry Security Standards Council has a wealth of information too
  3. Find a local qualify security auditor (QSA). The following directory is a good starting point. Click here.
  4. Drop a line to Paytia and we can help.

Read our Ultimate guide to taking phone payments