3 key considerations when accepting card payments via the phone

3 key considerations when accepting card payments via the phone, PCI DSS, PAYMENT CARD, PAYMENT, CARD SECURITY, PAYMENT CARD SECURITY, PAYMENT CARD SECURITY STANDARD, PCIDSS pcissc, phone transaction

This week’s top tip looks at the key considerations when accepting card
payment via phone. For many organisations accepting card payment via
phone is just ‘business as usual’, for others it’s one of those things that is
done as a back-up or an occasional ‘one off’.  An example of the latter is
online only organisations which often accept a small handful of payment
via phone when a customer has difficulty paying via the website. 

To many organisations, having the facility, even if just as a back-up, makes
business sense. However, accepting payment via modern phone systems
can introduce a number of security risks that many organisations
are simply not aware of.

Let’s look at the 3 major considerations:

1: Scope increase

Many organisations don’t even consider the phone system as being in scope when they start considering
how best to secure cardholder data. If your customers are reading their card details out over the phone
to an operator then yes, you guessed it, the phone system is in scope and that is the point where your
responsibility for securing data starts. 

As most modern phone systems now use VOIP, the audio data will be traversing a network that should
also be considered in scope when complying with the Payment Card Industry Data Security Standard

2: Data storage

If your customers are reading out cardholder data over the phone system, then any call recording systems
and its recordings will be in scope too – unless you ‘blank out/silence’ the cardholder data aspect. 

This is one of the most overlooked aspects of PCI DSS scoping in organisations where there is a high volume
of calls but only a low percentage which include card payments. A further challenge can be that these
recordings will most likely contain the CVV code which is not permitted within the PCI DSS.

3: Staff training

When staff handle cardholder data verbally, there is always possibility that something will go wrong, e.g. they
can’t hear properly, or the system is not working quickly enough and if your staff are trying to provide a
quick and efficient service they may be tempted to find a temporary workaround. 

Workarounds could involve jotting the card details down to enter later, typing them into a notepad application
or emailing them to a colleague. All of these actions widen the scope and introduce other elements into the
scope such as the email system. Yes, you need a backup plan but importantly you need to train your staff
effectively on what is and is not acceptable.

So, as you can see phone payments need careful consideration. Make sure you consider the ‘what if’ when
defining your scope.


If you want to learn more about how to achieve PCI DSS compliance for your business register here
to our webinar series