How to Accept Card Payments Over the Phone

Whatever your line of business, it pays to have as wide a range of payment methods as possible. They will earn you money in the long run. In the age of convenience, you can never assume that any payment method is invalid or old hat. There has long been a sense of unease about taking card payments over the phone, but in this modern, security-conscious age, such concerns feel less valid than ever before.

Understanding Phone Payment Processing

No one payment method is a one-size-fits-all for all types of business, and accepting card payments over the phone comes with both benefits and challenges. Having the ability to take payments instantaneously from a distance is a boon to many businesses. Some customers just like the interaction. Some may not understand how to or want to make payments online and be unable to do so in person.

But there are also challenges. Research found that 76% of the total value of card fraud in the UK in 2019 came through CNP transactions, though it should also be added that the total figure was also a 7% decrease on the previous year. The biggest risks associated with phone payment processing come from not following compliance guidelines for the secure use of card payments.

Legal and Security Considerations

The compliance guidelines for the use of card payments are known as PCI DSS compliance. PCI DSS (Payment Card Industry Data Security Standard) is a standard issued by the five largest credit card companies to help reduce costly consumer and bank data breaches. Complying with it is critical. Failure to do so could result in fines for your company and an immediate loss of trust with your customers. All reputable payment processors should be PCI compliant, but don’t forget; that the legal responsibility for that compliance is yours!

In a broader sense, Data Protection has given way to General Data Protection Regulation or, as it’s become better known, GDPR, in recent years, and there is an important distinction to make between GDPR and PCI DSS. The latter was designed specifically for the protection and security of Mail Order and Telephone Order (MOTO) payments, whereas GDPR has a more general application to personal data of all kinds.

Data in terms of GDPR may be defined as including names and email addresses as well as location information, ethnicity, gender, religion, web cookies and even political opinions. Data processing includes the storage of this information but also includes collecting, organising and even erasing. In practice, anything a business might do with a customer's information is covered by GDPR.

When it comes to data processing, this must be lawful, fair, transparent and limited to the purposes for which the subject originally consented, with no more than the absolute minimum to be stored. This data must be kept accurate and up to date, for only as long as its legitimate purpose lasts, and in a secure system, ideally using encryption.

Your business must be able to demonstrate its compliance if investigated, and this is important, should this happen. If you can't show you are compliant then you are judged not to be. To remain GDPR compliant, your organisation needs to assign data protection responsibilities, maintain documentary records, train staff, execute data processing agreements with third parties and appoint a Data Protection Officer to monitor the entire compliance process.

Is It Safe to Accept Card Payments Over the Phone?

Taking card payments over the phone can be completely safe, so long as you're following the correct measures, including PCI DSS compliance and GDPR. Make sure that any businesses that you partner with are fully compliant!

What is a Card Not Present (CNP) Transaction?

Card Not Present (CNP) transactions are those which occur when neither the cardholder nor the credit card is physically present at the time of the transaction. They’re most common for orders that happen remotely — over the phone or by internet or mail.

How Can I Verify the Authenticity of Cardholders During Phone Transactions?

The Card Validation Code or Value, or Card Security Code, refers to either magnetic-stripe data or printed security features on a card. The most common example of using the CVV during a transaction is to use the three-digit code on the back of the card (or the four-digit number on the front for American Express) for telephone transactions.

How Can I Protect Customer Data During Phone Payments?

Protecting your customers’ data is critical. You can do so by following best practice guidelines from the Payment Card Industry, using multi-factor authentication to confirm customer identities, adhering strictly to relevant GDPR and data protection regulations, and ensuring that the systems that you use are secure and up-to-date.

Secure Phone Payment Methods

As the use of credit and debit cards has expanded and grown over the years, so has the need for greater security around them. Historically, encryption with reversible cryptographic ‘keys’ was the preferred method of protecting sensitive data, but in recent years a growing number of organisations have moved from encryption to tokenisation as a more cost-effective and secure way to protect and safeguard sensitive information.

Tokenisation is the process of protecting sensitive data by replacing it with an algorithmically generated number called a token. These tokens can then be passed through the internet or the various wireless networks needed to process payment without actual bank details being exposed and sensitive data held safe in a secure token vault, with the aim being to prevent (or at least substantially lower the risk of) card cloning during the transaction.

You should also use multifactor authentication over the phone, which requires more than one factor to verify the user's identity, where possible. PINs, passwords, security details (name, address, etc) and one-time passcodes, in which a number is sent by text message to the customer’s phone for them to repeat back, can all be used for this. You can also use your own ‘authorisation’ levels, in which limits, rules, or policies applied by your business determine which actions or transactions are allowed or denied.

Payment Gateway Integration

A payment gateway is a technology platform that acts as an intermediary in electronic financial transactions. Some well-known payment gateways include Stripe, Square, Paypal and Amazon Pay. They enable both in-person and online businesses to accept, process, and manage various payment methods—such as credit cards, debit cards, and digital wallets—securely and efficiently. The payment gateway bridges the gap between the customer, your business, and your respective financial institutions. There are two main types of payment gateway:

• Hosted payment gateways redirect customers from checkout to complete a payment. The benefit for you is that the gateway is responsible for the security of the transaction and the customer’s data, and that’s a lot of peace of mind.

• Integrated payment gateways use the gateway’s API so the gateway is within your checkout, so customers don’t need to go elsewhere to complete transactions. This should make transactions quicker, but it also makes your business responsible for transaction security and customer data

Many gateways, including hosted ones, can facilitate phone payments, but this doesn’t necessarily mean that it’s a good idea. The fees can be high per transaction and the help available if anything goes wrong can be limited to non-existent, depending on which gateway you’re using and whether you’re hosting it yourself.

Which Payment Gateways Are Suitable for Phone Payments?

Paypal is arguably the best-known of all the payment gateways in the world. It has the facility to be used for phone payments, is easy to integrate into checkout, is free to set up (PayPal will charge a fee per transaction) and is a well-known brand name. It even makes international payments easy to accept. But all this convenience comes at a cost. Paypal charges on a per-transaction basis, and it can be expensive.

Square charges a transaction fee of just 2.5% with no monthly, setup, or PCI compliance fees, but they may not be suitable for higher volume users. Worldpay is extremely well-known and offers a wide range of different payment options and is good on set fees, but you have to pay for 24/7 support. Stripe charges fairly high fees and can take 7 days to pay you. Amazon Pay has a hugely recognisable and trusted brand name, but again fees are high for smaller payments while there is a wait period of 3-5 days for payment.

Which gateway is right for you will likely depend on the specific needs of your business.

Step-by-Step Guide to Accepting Card Payments Over the Phone

Exactly how do this will vary slightly depending on exactly what hardware and/or software you’re using, but broadly speaking these are the steps to follow:

1. Open the virtual terminal interface from your web browser, and log in.

2. Enter the price of the sale, and hit ‘manual card entry’ (or your terminal’s variation of this).

3. Have the customer read out their card details, and enter them

   immediately into the portal (this is important – a failure to do so could be considered a breach of PCI compliance). Don’t write these down!

4. Key in the address associated with the card if required (this is also crucial, as virtual terminals use address verification services to verify transactions).

5. Hit ‘confirm’ or ‘OK’, and await the response. It should be back with you in seconds.

Tips for Effective Phone Payment Processing

Some tips for best practice when processing card payments include:

• Do not store sensitive customer information unless necessary.

• If you must store sensitive customer information, encrypt it and store it in a secure location.

• Never write down or share customer card information over the phone.

• Use a secure communication channel, such as a virtual private network (VPN), when taking card payments over the phone.

• Use strong passwords and security measures to protect your computer systems...

• Regularly monitor your systems for security vulnerabilities.

• Use multi-factor authorisation if possible.

• Ensure that any employees taking phone payments are fully trained in all protocols and understand the importance of security measures.

Remember, simple mistakes can lead to data breaches and potentially even legal trouble, and basic lapses in PCI DSS compliance are the biggest factors behind the risks associated with this form of payment.

Phone Payment Fraud Prevention

CNP fraud usually occurs when a fraudulent actor obtains stolen credit card information through data breaches or other means and then uses that information to make unauthorised purchases. Another method is when a fraudulent actor uses social-engineering tactics, such as phishing, to obtain the card information directly from the victim. While most of this type of fraud now covers payments made online, this can also extend to payments made by phone.

There are steps that you can take to reduce the risk from these activities to your company. Fraud detection tools such as address verification or IP geolocation can help to verify the identity of the customer and detect suspicious activity. Strong authentication protocols such as multi-factor authentication and tokenisation will protect card information, while maintaining clear, accessible records of all transactions, including delivery information and customer communications, which will make disputes easier to resolve.

How to Choose the Right Phone Payment Service Provider

The right phone payment service provider for you will be dependent on what you do, how you collect payment already, and what you want to do with the new service at your disposal. The needs of a sole trader who only takes a tiny number of card payments over the phone every month, for example, would be vastly different to any organisation which takes hundreds or thousands every day.

Price is important. Every penny spent on this is a penny off your bottom line, after all. Different providers offer different services to different types of businesses and different structures of payment which are dependent on several different factors.

But it should also be added that price isn’t everything. Beware the risk of trying to make false economies, but also remember that profit margins can be tight at the best of times. Don’t eat further into them by going for bells and whistles that you will never use.

Customer support is also important. If something goes wrong mid-transaction, how easy will it be to quickly get support from your provider? This will matter more to some businesses than others, so remember that the first step in the process of moving to take card payments over the phone should be to know your customer.

There are security hurdles to clear to be able to do so, but accepting card payments over the phone is a valuable string for any business to be able to add to your bow. And if all of the above looks a little daunting, SwitchPal can help! We have a panel of trusted payment processors and can make it quick and easy to find the best service for your business. With security levels for these payments stronger than ever, there’s no reason for your business not to be making this switch too.