8 min read

PCI Compliance: Over the Phone Payments

Featured Image

We have seen a rapid growth in online payments over the past few years. The rise of ecommerce has made this inevitable, but it has accelerated unexpectedly since early 2020. This is largely as a result of changes in consumer shopping behaviour enforced by the pandemic.


However, despite this growth, the telephone remains a hugely popular means of payment. Whether this is because people have a residual distrust or dislike of the perceived impersonality of online payments, or simply prefer the experience of engaging with a human being is not clear. The fact remains that for the foreseeable future any business, whether it is ecommerce only or a multichannel hybrid, needs to offer this option to its customers.


Some people may prefer the speed of paying by the click of a mouse or the touch of a screen. For the merchant of course this kind of ancillary sales opportunity is very valuable, quite apart from the fact that a customer on the phone is much less likely to change their mind at the last minute than they are when shopping online. 


Online shopping requires the customer to qualify their own purchase from the limited information produced in product name or descriptions. A simple phone call allows the customer to ask as many questions as they require to validate their purchase.

Others appreciate the chance to have a conversation in which they can ask questions that would otherwise be hidden in the terms and conditions before committing to buy. They also have a named individual to whom they can refer in the event of any problem, rather than just a reference number. We've probably all experienced the endless circle of poor customer after sales service in which we spend a lot of time getting nowhere. There is still no substitute for speaking to human beings. For one thing they have some empathy and for another they often have discretion.


However, while many consumers may be suspicious about the safety of impersonal online payments, they are not always so cautious about making payments over the phone. By contrast, every business is, or should be, aware of the security issues involved and the compliance obligations they are under. 


As the security of face-to-face and ecommerce transactions has been improved and fraud rates reduced by sophisticated risk-mitigating technologies, criminals have tended to refocus their assaults in the mail and telephone (MOTO) environment. Consequently, some vendors have chosen not to accept telephone payments because they fear the potential for data breaches and believe that they are inherently non-compliant. This is not true. When it comes to taking credit card payments over the phone PCI compliance is just as applicable as it is to online payment methods and can be achieved by a similarly methodical adherence to the guidelines and regulations that have been set down by the payment card industry (PCI).


Although some of the measures required in taking phone payments will differ from those that apply specifically to online payments, they are no more onerous or expensive. They certainly shouldn't be seen as a bar to using the telephone, which can create a more satisfying customer experience while being extremely safe.


The PCI DSS in Brief


We don't propose to go into detail about the provisions of the Payment Card Industry Data Security Standard (PCI DSS) here as we have covered it extensively elsewhere. It is sufficient to say that it was introduced by all the major card companies in a unique collaboration that improved and standardised security in all jurisdictions. It was devised in 2004 and since its implementation, it has undergone several amendments to strengthen the regime that protects the financial data of cardholders. It applies to any business which accepts electronic payment of any kind via credit or debit cards, whether online or on the phone. 


Its 12 core concerns cover the collection, storage, processing, transmission and deletion of customer card details. Among its requirements are firewalls, anti-virus software, access limitation, security training and management. Failure to meet any of the obligations can result in an overall fine for a breach as well as fines for every individual cardholder affected. In extreme cases, a company can have its facility to take card payments removed entirely.


PCI DSS sets out four different levels of merchant, based on the volume of transactions a business makes annually. The rules of compliance are the same at all levels. It is only the stringency of the verification procedures that differ, with Level 1 merchants being obliged to do significantly more to demonstrate their compliance. For the other levels, much of this is done through self-assessment, but it is not wise to cut corners or be economical with the truth in these self-assessments, because should a breach occur, your company will be liable.


When considering PCI compliance taking payments over the phone raises questions about the recording and storage of data which are unique to this medium. In some companies, the call handlers simply input the customer's details directly into the payment gateway or virtual terminal and there is no physical record. However, many companies also record all customer telephone calls, and in some cases are even required to do so under the terms of other regulations. In both cases it is essential to observe PCI protocols.


The PCI Rules on Telephone Card Payments


All of the core principles of PCI DSS relate to phone payments just as they do to online ones. Most of them apply only after the payment has been made, but with telephone payments, it is the moment at which the payment is taken that is of particular interest in the present context.


For a criminal to carry out a successful act of card fraud, they need several pieces of information: the cardholder's name, the card number, the expiry date, and the 3-digit CVV code. In some cases they may need the PIN number as well, but certainly not all.


Under PCI DSS, there are clear restrictions as to what data can be stored after a payment has been made and which pieces of information must not be stored. 


Storage is permitted of:


Primary Account Number (PAN) (partial digits can be retained)

Cardholder Name

Service Code

Expiry Date


Storage is not permitted of:


Full Magnetic Stripe Data

3-Digit Security Code (CVC and CVC2, CVV and CVV2, CID, CSC, CVD)

Personal Identification Number (PIN).


Manual Recording


If your business employs call handlers to take credit card payments over the phone, PCI compliance is relatively straightforward, at least at the point of payment. The call handler must not write down any of the card details, but especially not the restricted items in the list above. If there is a very compelling operational reason to do so before entering the details then it might be permissible but the manual record must be kept for only as long as absolutely necessary and destroyed as soon as possible.


The call handler must not read any of the details back to the caller, even if the caller asks them to do so. This is because PCI DSS recognises the risks of being overheard, especially in a busy call centre.


Audio Recording


The last three items on our list may not be stored in any circumstances after the transaction has been concluded. For businesses that make audio recordings of customer calls, this represents a unique problem. A full audio recording of a payment call is de facto a form of storage and therefore forbidden.


Under PCI DSS, it is prohibited to use any form of digital recording in any format, including but not limited to WAV and MP3, if that data is capable of being queried. If a company has the technology to prevent the recording of these data elements, it must be used.


If any recordings are entirely secure and cannot be data-mined, then PCI DSS allows the 3-digit security codes to be stored after payment authorisation but only if the appropriate validation set out by PCI DSS has been carried out.


What is Non-Queriable?


If any Sensitive Authentication Data (SAD) is stored, it must be made non-queriable. Queriable data is of a kind that can be retrieved by the use of a search tool or a system instruction such as the following examples:


  • Decryption mechanisms
  • Data mining or analysis tools
  • Defined searches
  • Utilities designed for sorting, collating or retrieving data.


It is extremely important to note that encryption alone is not sufficient to render data non-queriable. In order to meet this requirement, it must not be possible for either authorised or malicious users to retrieve or access the data. Any of the means of gaining access, including those listed above, must be expressly authorised, strictly limited by operational necessity, documented and monitored. Furthermore there must be controls to prevent unauthorised access.


Call Centres are particularly vulnerable to breaches of the rules because of the sheer volume of calls and the number of operators they employ. Under requirements 3.1 and 3.2 of PCI DSS, apart from severe restrictions on data retention, call handlers must mask all or part of the PAN number and access to this number must be limited to those who need it. For example, a sales agent requires access but a customer service representative does not.


Call Recordings


Clearly, making sure that stored data is unqueriable could present some serious challenges that most businesses could do without. Unless there are very good reasons, commercial or otherwise, to store SAD then it makes sense to avoid the issue entirely, which in the case of recorded phone calls can be achieved in various ways.


As part of their training programmes, many businesses instruct their call handlers to pause recording before the caller reads out the SAD elements of their card and resume it afterwards. This ensures that the information is never recorded on the audio, simply given to the call handler who enters it directly into the payment portal.


The weakness in this practice is that it relies entirely on the individual call handler to follow their standing instruction at all times. In a busy call centre it is very easy to neglect this step because there may be nothing to prevent the handler from continuing with the call even if recording hasn't been paused. Some call centre software may include a system of alerts but the success of this method ultimately depends on the call handler.


Other methods include removing call recordings, which may defeat the purpose of making them in the first place, taking call recordings offline, vaulting (securely archiving) the recordings, enforcing dual access to the vaulted recordings so that two people are required to retrieve them, or allowing only single calls to be retrieved. Whatever method is used the 3-digit security code must never be stored - if it can't be excluded from a recording, it must be deleted from it as soon as the transaction has concluded.


None of these answers is ideal. In any case, before considering how to make data unqueriable, it is essential to make every effort to delete SAD. In order to store it you will need to identify a legitimate reason for doing so. Commercial and marketing considerations are never legitimate, it is only legislative or regulatory obligations that can justify it. Even if such a reason exists, you still need to conduct a full risk assessment at least once a year and the results of these assessments must be disclosed to the acquiring bank and card company as applicable.


As should be clear, any decision to store SAD involves walking into a minefield. There are so many points at which you could fall foul of PCI DSS requirements and there is so much work involved in trying to avoid this outcome that it is hard to imagine a situation in which you would voluntarily assume the risk.


The simple solution is to prevent card data from reaching the merchant’s recording applications so that none of it is recorded. This is enabled with solutions like Paytia Secure Virtual Terminal, that enables card data to be communicated to the merchant’s bank while customer and merchant are on the call, but without card data reaching the merchant or their recording infrastructure.


Management of Security


As we explained earlier, we haven't gone into all the detail of the PCI DSS requirements but remember that they all apply. This means you need to put in place a comprehensive security management system that includes regular software updates, firewalls, activity logs, password renewal, unique IDs for every employee, training and documentation. If you or your employees are taking credit card payments over the phone, PCI compliance must remain one of your top priorities. Without it you will put your business in serious jeopardy.


Book a live demo

or contact us