Security can be a big issue for a small business. PCI compliance has a fundamental role to play in the security of your telephone payments, but it can be a struggle to meet PCI requirements.
As EMV chip technology secures transactions where the card must be presented, criminals are targeting 'card not present' channels including telephone payments. That makes the telephone payment environment a target for fraud and makes PCI compliance more critical than ever.
What does PCI mean for your business?
PCI has an important function; it protects your customers' data when they pay by phone and safeguards your business against fraud and data breaches.
PCI standards apply to any type of debit or credit card payment, whether it’s made face to face, using an online payment gateway or by phone. There are four levels of compliance depending on the size of your business. Don’t be one of the 65% of SMEs that don’t meet the minimum requirements as that can cost you dearly in terms of a financial fine and your hard-won reputation.
Do I need to ensure my business is PCI compliant?
If you operate your own payments by telephone system, yes you do. However, as technology continues to evolve and the guidelines are updated, there can be confusion as to what services and technologies fall within the scope of PCI compliance.
By selecting a payment solution from a service provider that is fully PCI-DSS Level 1 compliant, you can handle millions of transactions a year without the risk of paying non-compliance fines.
Best practice for PCI compliant phone payments
The PCI Security Standards Council offers the following recommendations for best practice when accepting payments over the phone:
- Create a culture of security Creating and maintaining a culture of security is paramount, but it can be all too easy to take things on trust when you’re running a small business. Roles should be defined clearly and data access restricted on a need to know basis.
Regular PCI compliance training and safety checks should be implemented across the workforce including any home-based workers. Focus on and evaluate risks such as data processing in unsecured locations and ensure that appropriate controls are implemented.
- Minimise opportunities for fraud Any SME should implement robust processes that support organisational security. Think about minimising risk by excluding data recording materials from the telephone payment environment and implement effective monitoring and access controls.
- Use secure technologies All technologies should be regularly checked for exposure to malware and other viruses or even physical tampering such as the use of a keyboard logging device. Implement multi-factor authorisation technology whenever possible for users accessing the telephone payment system from an unsecured location.
The three steps to achieving PCI compliance
If you’re setting out to achieve PCI compliance, there are three steps in the journey:
Assess and audit: undertake a comprehensive review of the cardholder data for which you’re responsible and the business processes you use. Aim to identify weaknesses and vulnerabilities that could expose data to risk.
Fix it: do you need to hold sensitive cardholder data at all? Storing that data with a licensed third party is an ideal solution as the fastest way to achieve PCI compliance.
Report: finally complete and submit the Self Assessment Questionnaire (SAQ). This is a relatively short document but can represent some significant technical challenges including daily virus scans, logging access, enforcing strict encryption and performing external penetration testing on a six-monthly basis. This costs time and money.
Common sense tips for payment security
Thankfully, there are some tips that are easy to action and will give you peace of mind when processing customer telephone payments.
Your staff are your front line defence, so make sure they know the right channels through which to flag up any concerns about a payment if something isn’t right. Destroy any customer payment details using a cross shredder and make sure that merchant receipts print only the last four digits of a customer’s credit card.
Get into the habit of running regular virus and malware scans on all devices used by your organisation and create separate login accounts so hat you can see at a glance which member of staff processed which transaction
Choose your payment provider with care
At Paytia, we make sure that telephone payments are simple and secure. We’ll help you achieve PCI compliance and remove any opportunities for fraud with our Pay729 plan that requires no extra equipment other than a telephone handset.
Secured by the world’s largest payment vendors and trusted by PayPal, Sage Pay, Verifone and more, Pay729 lets you take payments by phone there and then and removes the risk of protecting customer card data. We offer a full range of solutions that will help you achieve PCI compliance without the hassle.
To read last weeks blog on how to ensure your business is PCI compliant click here.