When it comes to taking card payments, there are essentially two categories: electronic (for example, contactless, or chip and pin machine methods), and manual, keyed entry, also known as card (or cardholder) not present. The latter is something of a misnomer, as it applies even if you are reading off your customer's card whilst they stand in front of you.
Thanks to the boom in online shopping and app sales, there are a great many situations that require keyed entry. Anytime a customer buys from your website, or takes out a subscription to one of your services, this becomes a cardholder not present transaction. This is in addition to transactions such as mail order/telephone order (MOTO) payments, digital invoices (including payment links), and card-on-file payments.
What you need to know about taking card payments
So why does this matter? After all, you can get software to accept and process these payments, and your customers are able to buy quickly and easily, often with a simple click of that “Buy now” button. Card not present transactions are a regular and reliable feature of our modern trading landscape.
In fact, paying attention to keyed entry transactions matters a great deal if you are the merchant. This is down to one important distinction between transactions where the card details have been entered by the customer, and those where the details have been entered by the merchant.
Many of the latter transactions rely on virtual terminals, secure web pages that you can access whilst logged into your payment service provider account, and then enter customer card details manually. And if you are using a virtual terminal to take payments over the telephone or through live chat, or managing card-on-file payments, you are subject to PCI DSS compliance.
PCI DSS compliance involves extensive paperwork and annual costs, but helps to improve vital security standards. Failure to comply can lead to data breaches, and, subsequently, fines and significant damage to your business' reputation.
Fraud: minimising your risk
Unfortunately, card not present fraud accounts for 68% of all UK debit and credit card fraud, and if a cardholder discovers a fraudulent payment has been made to your business, you will be issued a chargeback by your payment processing provider, leaving you out of pocket. This can prove costly, but fortunately there are ways in which you can protect yourself and your business.
Take advantage of fraud-screening tools to help avoid potentially criminal transactions, such as an external payment gateway. Offered by many card issuers (such as Verified by Visa or Mastercard SecureCode), an external payment gateway helps to authenticate cardholder identity, often requiring that the cardholder enters a password. This furthermore takes the liability away from the merchant in case of fraud being claimed later, meaning that chargebacks are avoided.
When taking payments, it's wise to protect yourself by taking extra details beyond the card number, such as the CV2 number, expiry date, full cardholder name or billing address. Information such as the cardholder's email address can also assist in verification, and it's good practice to have customers fill in an online form with such details if you are trading online. It's also crucial to make sure that times, dates and transaction numbers are stored for your records.
Another means of minimising the risk of fraud is the use of Address Verification Service (AVS), which entails checking for the customer's billing address details in order to achieve validation. It's usually performed by the card issuer via telephone. Whilst the UK is currently the only country in Europe able to use this service, it's extremely popular in the USA, which suggests that its use may well become more prevalent in the future.
Making transactions run smoothly
In order to make sure that your MOTO transactions are as secure as possible, it pays to adhere to these simple precautions. In the first instance, make sure that you have a virtual terminal in place. Whilst many companies offer this service, it's worth choosing a provider that can offer you valuable additional benefits, such as secure automated payment telephone capabilities. This means that your customer can enter their card details via their phone's keypad rather than reading out to a member of your team. This has the additional advantage of ensuring PCI DSS compliance immediately, as it negates your need to store sensitive card details.
Cardholder not present payments can be a popular target for fraudsters these days. Thankfully, there are now ample services and products available to make keyed entry transactions safer than ever. This is vitally important because it helps build customer trust, as well as ensuring that you are compliant with essential PCI DSS. Today, many virtual terminal providers take care of PCI DSS for you, and it's certainly worth exploring what options are available to you when choosing a package.
Would your company benefit from being able to take credit card payments over the telephone - without the need for the customer to read out their confidential details?
NO integration required - Quick - Easy to implement - Low cost solution - FULLY PCI DSS compliant