Taking card payments over the phone

 

Our ultimate guide

 

We cover everything from the different systems you can use to take payments over the phone from your customers to the regulations you will need to comply with to avoid fraudulent activity and bank fines.

Despite the onward march of ecommerce, speaking to customers on the phone is back in vogue.

As competition in every market marches on, businesses are rediscovering the benefits of giving customers a bit of human-to-human love.

And whether to satisfy consumers that can’t use the internet or simply appreciate the convenience of having a service agent take care of everything on the call -- from product selection to order — the ability to take customer payments on those calls is a core part of that service excellence.

In this guide we provide everything you need to know about accepting card payments over the phone securely, easily, and ensuring you don't fall down any of the compliance holes along the way. 

For those of you that still need convincing we delve into how providing a customer phone service that allows you to accept payments, can benefit your business’s bottom line.

Ways of taking card payments over the phone safely

 

Upset man holding credit card with laptop on background

 

As we indicated, taking card payments over the phone raises a new set of security and compliance and challenges. The old way of asking the customer to read out their card details is becoming less acceptable to an ever-more fraud-conscious public and puts your business at risk of fines for non-compliance with PCI DSS.

Secure phone-based credit card transaction technologies have been available for many years that address this problem although how they impinge on the customer-service experience, how easy they to implement, and how expensive they are, varies significantly.

There are six secure options available for taking card payments over the phone

  1. Use a virtual terminal in a secure environment
  2. Pause and resume
  3. Fully automated IVR
  4. DTMF masking
  5. Channel separation
  6. Payment links

 

Virtual terminal in a secure environment

You could choose to use a “virtual terminal” from your payment service provider or bank. 

A virtual terminal is a secure web page or application that merchants can use to process card payments without physical presence of the card. They’re called “virtual” to distinguish them from physical payment terminals or card readers used to process card payments when the cardholder is present.

However, like using a credit card reader, the customer is still required to share their card details with the agent. If you want to use this approach you’re bound to implement a long list of draconian security measures to ensure that card data cannot be recorded in any way. 

As we explain in our [blog], this is simply unviable for all but the largest contact-centre ‘farms’.

 

Pause and resume

This partial solution may get mentioned by phone companies. It refers to the pausing — and subsequent resumption — of call recording during the point in a conversation when the customer reads out their card details. 

Call recording is an important part of many business’s service-quality assurance, or even compliance measures in regulated industries like financial services. Capturing card data on recordings contravenes PCI DSS unless security and access controls are so tight to make use of the recordings impractically restrictive. (They are also incredibly hard to remove!)

This only deals with one element of the people and systems that would fall into scope of PCI DSS; hence they are an outdated approach.

Fully automated IVR

A far better approach is to send payees to an automated and secure “interactive voice response” system — known as an “IVR” — that will guide them through a series of automated prompts to submit card data and complete the payment.

These are suitable for simple and/or low-value transactions such as cinema tickets. They can however cause frustrations for callers. If it’s important for your customer and your business to be on the call with your customer to discuss their needs, ensure payments are confirmed and orders placed, then this isn’t the ideal solution.

 

DTMF-masking

If you want to stay in touch with your customer during the payment process you want what is sometimes called a ‘mid-call’ solution.

DTMF-masking is a first-generation approach developed around ten years ago.

The caller and agent remain in touch throughout the payment process. The agent instructs the customer to use their keypad to submit the various card data strings. DTMF tones are masked to obscure the numbers by creating a single tonal pitch that is heard by the calling parties.

The approach offer a seamless experience for customers. Generally it also allows calls to be recorded uninterrupted, since the customers’ keypad tones are intercepted upstream of the recording system.

But it does have some drawbacks.

Because the agent and customer can talk during card submission, there is a danger that either customers inadvertently read out their card numbers or unscrupulous staff ask them to. Card data also ends up on your call recordings — not where you want them!

Secondly, although the process is relatively simple, it does require agents to be trained to use the solution. This may be fine for high-volume contact centre's, but not for businesses where multi-disciplinary staff are involved,  or where phone payments happen occasionally.

DTMF-masking has historically been a solution exclusively for large contact centre's. While that is changing, it is still only economic for mid-sized customer-service operations at the very least, and involved significant setup effort and cost.

 

Channel separation

A new take on DTMF-masking, “channel separation” aims to offer the best of all solutions: an approach that allow customer and caller to remain in touch during the payment process, requires no training and removes any risk of card data being read out.

At the point of payment customer and merchant lines are separated so that neither party can speak to the other. An automated payment assistant then guides both sides through payment confirmation, card submission and authorization process. Customer and merchant can interrupt the process at any time to speak to the other person if required.

Paytia, who developed this approach — it’s patent-pending — have embedded it into a cloud self-service platform that enables any business to buy a single user license, connect it into their telephony and start accepting card payments over the phone in minutes.

 

Payment links

Last but not least, you could send customers a links to secure payment page. Payment links can be sent via email, text message, over chat or by QR code. They are a simple solution that is easy to use. 

 

Checking whether your vendor is PCI DSS compliant.

Any vendor of any repute offering these services will have to be PCI DSS compliant in their own right. 

It should go without saying that you should check they are genuinely cloud-based. This not only removes the complexities of deploying on-premise, but significantly reduces the scope of your exposure to card data. 

You should expect any solution to remove at least 90% of the PCI DSS requirements with which you would otherwise have to comply. To check this, ask to see your prospective vendor’s “responsibility matrix” which should explain what becomes their responsibility to achieve PCI DSS compliance, and what stays with you.

READ MORE: 6 ways of taking card payments over the phone safely

The benefits of accepting card payments over the phone

 

Long long ago there was no online shopping, no chat bots, no internet. All that existed was shops and shop assistants. If you couldn’t make it to the store there were catalogues. 

For baby boomers that meant Spiegel, Sears, or maybe Freemans. For anyone under thirty — or parents of young children growing up in the noughties — who could forget that child paradise of the Argos Catalogue!

Placing an order was easy: you mailed or phoned it in. It was called MOTO.

Then along came the world-wide web. Businesses killed their carelines. Everyone became ecommerce crazy. The phone was dead.

In the last five years that’s changed. The US Federal Reserve estimates that today, almost 1 in 4 dollars spent on remote transactions (CNP) happen over the phone. A staggering $700 billion in the USA alone. The pandemic has stimulated what was a steady growth trend -- not just away from in-person shopping but to phone ordering.

Providing phone support is not worthwhile for every business. But if you’re selling goods that are relatively high value, complex and/or marketing to people who prefer or cannot shop online, then it’s a no-brainer. 

As cloud-phone provider, Aircall, discovered in their 2021 global customer survey, if a consumer can’t get the information or service, they want online they’re going to to turn to the phone for help.  Interviewees, 6,000 from USA, Canada, UK, France, Germany, Italy, Sprain and France,  ranked phone as the preferred method of first contact and as providing the best experience.

As telephony has gone digital — voice-over-IP (VOIP) to be precise -- and cloud-based, businesses can choose from a growing list of cost-effective, easy-to-implement solutions, offered by both the established phone companies and new  VOIP-based entrants like Aircall, Talkdesk, Ringcentral to name a few.

Similarly, adding the ability to accept card payments on the phone is becoming a lot easier. 

But before we delver into that, here are our top reasons why you should consider accepting card payments on the phone, all of which can add to your business.

  • Your customers can customize their order and get advice on what to buy, which gives you the chance to let your customer service shine and can lead to higher purchase values.

  • You can accept payments over the phone from all major debit and credit cards, including American Express, Visa and MasterCard. And if you use Link to Pay, you can use authentication services such as Strong Cardholder Authentication to keep your business and your customers safe from fraud

  • They can give your customers a safe way to pay and give you a secure environment to collect card details, with real-time authorisation. (Dependant on the type of phone payment solution you opt for.) This means you can manage declined cards and try to reduce the amount of customers who abandon their goods at payment.
  • You can reach more customers than you did before

  • You can create multiple user accounts for your business to increase the number of payments you can take at once – meaning you can take payments from different locations, all at the same time. This also means staff don't have access to your payment gateway account.

  • Taking payments over the phone is a smoother process, which means you'll free up more time to work on other areas of your business

  • Your employees can use your Secure Virtual Terminal from wherever they are, in the office, at home or even on the beach.

  • You can use Paytia's fraud protection and security checks to make sure everything’s secure and PCI-DSS and GDPR compliant

 

READ MORE: Why you should accept payments over the phone

Free consultation

Get a free Secure Virtual Terminal demonstration.

Learn everything you need to know about taking payments using Secure Virtual Terminal.

Book a demo

What laws and regulations apply to my business for taking credit card payments over phone?

 

Many businesses still use a card reader to take card payments. They ask the customer to read out their card details which the company rep types into the terminal on their behalf. Few customers will question this practice -- after all it’s been going for years. But ask them whether they think about it and you’ll get a growing chorus of concerns.

Why should phone be any different to the considerable security measures that are provided to protect cardholder data in store or online.

Put simply, if you’re asking your customers to read aloud their card data, it’s highly likely that you’re not only exposing them to fraud -- real or perceived -- but also failing to meet mandatory payment-industry security standards (PCI DSS).

If you’re found to be in breach of these then your business could be heading for some heavy fines from your bank.

Payment Card Industry Data Security Standard

 

PCI founding members

 

What is the PCI Security Standards Council?: Founded in September 2006, the Payment Card Industry Security Standards Council set operational and technical requirements in order to protect cardholder data. The Council is responsible for managing the security standards. Compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Should a business fail to comply with the standards then they are liable to non compliance fines and high risk processing fees.

 

£3 million in donations (1)

 

Who does PCI DSS apply to?: Any organisation that takes payments, not exclusively over the phone payments. No matter how large or small your organisation this security standard will apply to you. If you fail to comply with the twelve requirements of PCI DSS then your business will be liable to large non-compliance fines which can be levied by your bank and to a loss of your businesses reputation.

What do I need to do to be PCI compliant? There are a few key requirements that businesses must meet in order to be PCI DSS compliant. Data-centric companies must keep credit card information secure at all times. In addition, they must use a firewall to block and filter malicious attacks and regularly conduct vulnerability scans to find and fix holes in their security. Businesses must also have a written security plan that includes a risk assessment and details the steps you’ve taken to address any potential threats. Businesses must also adhere to specific standards when it comes to data transmission, including written policies on the transmission of sensitive data. Companies must also limit the number of employees with access to sensitive information, and they must report any security breaches to the appropriate credit card companies.

 

PCI Compliance Guide

 

To learn more about other data protection regulation you should be aware of, please read the blog below

READ MORE: Credit card payments over the phone laws: security considerations

Are you restricted on what types of payments you can accept over the phone?

 

The types of transactions that require a phone conversation between buyer and seller often involve more than a single one-time payment. For example:

  • Holiday payments that typically involve a deposit and multiple payments
  • high-value goods or services payable in instalments
  • Subscription services for online courses
  • Buy-now-pay-later

You could be forgiven for thinking that accepting a card payment over the phone restricts you to simple, one-off immediate payments.

By selecting the right phone-payments technology there should be no reason why you can’t benefit your business and your customers from a wide range of payment options — payment reserves, card validation, recurring payments and more.

Offering a range of payment options is a great way to add value for your customers and your business by incentivising payment formats that benefit your finances as much as those of your customer.

Depending on your service provider there are a number of different payment types available. Decide what you want and check with technology providers if they can support them before you implement.

 

READ MORE: 5 Payment types for card payments over the phone

Getting Started

 

Here are 6 simple steps to follow to get your business ready to accept card payments over the phone in a way that keeps customer happy and your business compliant with PCI DSS and better protected from the likes of GDPR and other data-protection regulations. 

 

1. How important to your quality of customer service and sales that you’re able to take payments during customer calls?

If efficiency is key to your business, and out-of-hours access is important to your customers, then a fully automated IVR solution may be best for you. Otherwise look for agent-assisted solutions like DTMF masking and channel separation.

2. How many people in your organisation will be taking payments and where are they located?

Most secure phone-payment vendors have developed their business serving large monolithic contact centres. Their technology has been shaped accordingly. This may be economically and technically ideal if you are a large contact centre. But for small or distributed businesses, these are going to be expensive. 

Paytia is the first provider to develop an agent-assisted solution for small or distributed teams — right down to a single user. 

For the time being Paytia stands apart in this space. Expect others to follow.

3. Are your staff multi-tasking or dedicated contact-center agents frequently taking calls and payments?

Channel separation or DTMF masking, that is the question.

4. Can it handle all the payment types you need?
 

Don't assume this to be the case. Ask the vendor and check.

5. Are the vendors you’re considering PCI DSS certified?
 

They should be Level-1 certified — and cloud based to minimise your scope.

Ask to see their Attestation of Compliance and make sure it’s current — a declaration of their compliance with PCI DSS.

Also discuss their Responsibility Matrix, which will explain what elements of PCI DSS controls are delegated to them as opposed to shared or left with you. You shold be left with no more than 5% of the controls your responsibility.

Your vendor should be able to help you complete whatever questionnaires and audits your bank will sask you to complete. 

6. Trial the system
 

Make sure you try before you buy. 

 

Get started with Secure Virtual Terminal in minutes

Start a free 14 day trial and upgrade your businesses security in minutes:

  • Suitable for sole traders and global enterprises. 
  • Stripe payment gateway
  • No long consultations and no fixed contracts.
  • Full PCI compliance for phone payments in minutes.
HubSpot Video

 

View pricing