This week’s top tip looks at the key considerations when accepting card payment via phone. For many organisations accepting card payment via phone is just ‘business as usual’, for others it’s one of those things that is done as a back-up or an occasional ‘one off’. An example of the latter is online only organisations which often accept a small handful of payment via phone when a customer has difficulty paying via the website.
To many organisations, having the facility, even if just as a back-up, makes business sense. However, accepting payment via modern phone systems can introduce a number of security risks that many organisations are simply not aware of.
Let’s look at the 3 major considerations:
Many organisations don’t even consider the phone system as being in scope when they start considering how best to secure cardholder data. If your customers are reading their card details out over the phone
to an operator then yes, you guessed it, the phone system is in scope and that is the point where your responsibility for securing data starts.
As most modern phone systems now use VOIP, the audio data will be traversing a network that shouldalso be considered in scope when complying with the Payment Card Industry Data Security Standard
2: Data storage
If your customers are reading out cardholder data over the phone system, then any call recording systems and its recordings will be in scope too – unless you ‘blank out/silence’ the cardholder data aspect.
This is one of the most overlooked aspects of PCI DSS scoping in organisations where there is a high volume of calls but only a low percentage which include card payments. A further challenge can be that these recordings will most likely contain the CVV code which is not permitted within the PCI DSS.
When staff handle cardholder data verbally, there is always possibility that something will go wrong, e.g. they can’t hear properly, or the system is not working quickly enough and if your staff are trying to provide a quick and efficient service they may be tempted to find a temporary workaround.
Workarounds could involve jotting the card details down to enter later, typing them into a notepad application or emailing them to a colleague. All of these actions widen the scope and introduce other elements into the scope such as the email system. Yes, you need a backup plan but importantly you need to train your staff effectively on what is and is not acceptable.
So, as you can see phone payments need careful consideration. Make sure you consider the ‘what if’ when defining your scope.
WANT TO LEARN MORE?
If you want to learn more about how to achieve PCI DSS compliance for your business register here to our webinar series