Accepting credit cards over the phone is more complicated than processing credit cards in a brick-and-mortar store, where merchants only need to provide a terminal for customers to swipe or tap their card. MOTO merchants need to securely pass the credit card data to the authorization network, which requires a virtual terminal or a credit card gateway. They also need to tie the transaction data back to the original order, which is often initiated in a separate ERP or order entry application. Then, they have to meet specific PCI compliance regulations for taking credit card payments over the phone and report on those efforts every year. To complicate things even further, these businesses have to protect themselves from card-not-present fraud and make sure they aren’t being hit with unnecessary fees.
While there’s no single “correct” way to set up a MOTO payment infrastructure, there are certain things that merchants can do to make their lives easier and keep more of their hard-earned revenue. Here are 7 common mistakes we see with businesses that accept credit cards over the phone:
1. Writing down physical card numbers on paper
When a customer calls in to place an order, customer service and sales representatives may write down the customer’s card information to process at a later date. (Maybe they’re working remotely and don’t have access to their virtual terminal, or maybe they’re busy working on three things at once and don’t have time to go through the full order process at that exact moment.)
The Payment Card Industry Data Security Standard (PCI DSS) doesn’t explicitly prohibit writing down card numbers, but it does prohibit writing down CVV numbers. (In fact, merchants aren’t allowed to store verification details in any manner, whether hand-written or electronic.)
Merchants are also required to follow highly specific regulations for securing that card data. Leaving it on a post-it note on their desk, for instance, is not PCI compliant. The vast majority of merchants who write down card data don’t do so in a compliant manner, which is why we – as a general rule of thumb – recommend that companies never write down card data, full stop.
2. Skipping card verification
Card-not-present fraud makes up nearly ¾ of all credit card fraud. It’s much easier for a hacker to obtain and use card details rather than a physical card itself – which means MOTO merchants need to be especially mindful of protecting their business. A trust-but-verify approach is warranted for all telephone orders. Using a card-not-present processing system that requires – at minimum – zip code and CVV verification is a solid start, although additional measures can further reduce the risk of fraudulent transactions.
3. Not segmenting their network
How merchants configure their MOTO solution directly impacts their compliance – which is why we’re so big on segmentation at Curbstone.
You can read our full guide to PCI scope here, but at a very basic level: any part of a merchant’s system that touches, transmits, or stores cardholder data must be included in an annual security audit. Merchants must complete this audit no matter what, but the more parts of their infrastructure that touches cardholder data, the longer and more complicated this audit will be.
Isolating cardholder data can make a big difference. For instance, if sales reps are entering cardholder data directly into their ERP, everything in their environment is considered in scope and must be audited. However, if they use a MOTO processing solution that is segmented from their other systems, they can remove most – if not all – of those systems from their audit. This can be the difference between spending a day answering 22 questions for the SAQ A and several weeks answering 329 questions for the SAQ D.
4. Recording their calls without using IVR
Many call centers record calls for quality assurance and training. That, by itself, is not an issue. However, if a call recording includes a customer reading off their credit card data and that recording is saved to a corporate server, the merchant’s entire network is considered in scope for PCI. (That brings them back to the long, complicated SAQ D.)
However, it is possible to record calls without those recordings containing cardholder data. IVR, or interactive voice response, lets customers type in their own card details on their telephone keypad. The phone rep doesn’t overhear the data, and it can’t be heard on a recording. This lets businesses record their calls without increasing their PCI scope.
5. Using single-channel tokenization
Payment tokenization lets merchants keep their customers’ cards on file without storing the card data on their system. This way, repeat customers can call in and place another order without having to get out their credit card – and phone agents don’t have to manually key in the details while the customer waits. However, many tokenization solutions are designed for use on a single channel. For instance, tokens that are created for phone orders can only be used for phone orders, and tokens that are created online can only be used online.
Because most customers purchase in whatever way is most convenient for them at that moment in time, it’s important to use an omni-channel tokenization solution. Omni-channel tokenization lets merchants create a token at the first point of sale, then re-use it everywhere they do business. If a customer buys goods or services at a trade show, in a store, online, over the phone, or even by mail, the merchant can reference the existing token for a fast and hassle-free transaction.
6. Letting decentralized data create extra work for Accounting and Finance
When companies accept credit cards over the phone, it’s not just a procedural issue for Sales or Customer Service. When Accounting or Finance go to close their books and reconcile their transactions, they have to tie credit card records to individual transactions. If the credit card data exists in one platform but the order data exists somewhere else, the process becomes time-consuming and messy – and that’s assuming there isn’t a discrepancy that needs to be addressed. Similarly, if they need to issue a refund or credit, hunting down decentralized data becomes an unnecessary waste of time.
Tight, seamless integration consolidates all this data into one place. Transaction data and order data are tied together; native reporting becomes faster and more efficient.
7. Paying extra fees to process improperly structured transactions
The card brands charge different fees to process different types of transactions. If a customer calls in to place a phone order but the merchant manually types the credit card number into the same physical terminals that they use for card-present/retail payments, that will trigger an extra fee.
Similarly, if a merchant processes a phone order for a business customer that pays with a corporate purchasing charge but does not pass the necessary data along with the transaction, they’ll pay another unnecessary fee. These fees, known as downgrades, can be avoided by following specific best practices for processing phone payments.
Discover a More Secure, Cost-Efficient Method of Accepting Credit Cards Over the Phone
At Curbstone, we’ve helped hundreds of merchants securely and cost-efficiently accept credit card payments over the phone. With a MOTO solution that helps merchants qualify for the shortest, least complicated SAQ and unlimited one-on-one guidance for structuring transactions, we’re here to make the process much less complicated. To learn more about improving your own approach to phone payments, contact us today.
