top of page

Taking Credit Card Payments Over The Phone Regulations UK

Updated: Jan 17

UK Regulations for Taking Card Payments by Phone

With the rapid growth of online retailing, we've seen an accompanying increase in the resourcefulness and ingenuity of criminals. Our credit card details are immensely valuable and every time we use them we run the risk that someone will find a way to steal them. The experience may be rarer than most of us think but it remains a constant threat. Discover how taking card payments over the phone regulations uk apply to your business Making a payment by credit card over the phone has its own unique security issues. Such payments are called cardholder-not-present (CNP) transactions and specific standards and regulations attach to them for the purpose of protecting consumer rights.

PCI-DSS and taking card payments over the phone regulations uk

The most significant and furthest-reaching of these is the Payment Card Industry Data Security Standard (PCI-DSS). While this is a standard rather than a law, it is mandated by the credit card industry and realistically no responsible business would attempt to take credit card phone payments without conforming to it. Apart from anything else, consumers would be unlikely to trust such a business: if there is a standard for protection why not adopt it? The PCI-DSS imposes stringent and comprehensive requirements for any merchant handling sensitive credit card information. This applies not just to in-person purchases but also to those conducted over the phone, known as Mail Order/Telephone Order (MOTO) transactions. The standard lays down twelve conditions, both operational and technical. These include obligations such as the use of firewalls and other measures of protection for cardholder data, encryption of data, anti-virus software, properly maintained secure systems and applications as well as regular testing of those systems. Merchants must ensure restricted access to cardholder data to prevent it from being more widely disseminated than is absolutely necessary - those with authorisation must be given a unique ID and physical access must also be restricted. A system must be established to track and monitor all access to the network in general and the cardholder data in particular. Finally, as an over-arching measure, the business needs to maintain a security policy that is fully understood and followed by all personnel.


The PCI-DSS is the only protocol in place that specifically addresses MOTO transactions, but it's worth considering the ways in which the Payment Services Regulations (PSD2) might affect a seller. This requires merchants to meet a standard called Strong Customer Authentication (SCA) but applies only to online payments that are initiated by the customer. A MOTO transaction is considered to be initiated by the merchant so the SCA requirement does not apply. However, the merchant's bank does have to comply with PSD2 so it may carry out a risk assessment on any phone transaction and will only accept it if it carries an exemption from SCA.


The EU's General Data Protection Regulation (GDPR) further governs the processing of personal data. It requires the use of data to be transparent, fair, for only legitimate purposes and limited to what is absolutely necessary. Anyone whose details are stored can ask what information a company holds and must consent to its use beyond its original purpose. All breaches must be recorded and data protection impact assessments performed in relation to new projects or changes to existing practices. The holder of the data remains responsible for it when it is transferred within the company or to a third party. As with the PCI-DSS, all personnel must be kept fully apprised of the company's systems and obligations. That sounds like a whole series of headaches. Fortunately, by using Paytia's Secure Virtual Terminal, you are not only adopting a simple and effective means of taking payments over the phone, but you are also gaining the support of a system of payment and accounting that is already fully compliant with PCI-DSS and GDPR as well as being SCA-ready. It couldn't be simpler to meet all your regulatory obligations while enjoying all the benefits of a versatile, fully international payment platform.

Free trial banner graphic


bottom of page