For many companies – especially those in traditional B2B sectors like manufacturing and distribution – accepting credit card payments by phone is still just as essential as it was 10 years ago. Customers may prefer to call in orders “because that’s how they’ve always done it”, or because it’s simply more convenient than doing business in person. Either way, merchants often need a way to process transactions remotely without having a physical card or card reader.
Modern phone payments, however, focus heavily on integration – not just facilitating transactions as a standalone function. When a sales rep or call center agent opens their order entry screen (whether that’s in an ERP system, CRM, or other application) to accept a phone payment, the processing function should be built right in. This way, they’re not copying over order details to a separate payment system, slowing down the process and increasing the risk of errors.
To make this streamlined approach a reality, you need the right foundation. That means choosing the right solution (accounting for everything from fraud protection and compliance standards to processing fees), then tailoring it to your specific needs. Here’s a step-by-step walkthrough for getting started with integrated phone payments.
Step 1a – Choose a Payment Processing Solution That Supports Card-Not-Present Transactions
MOTO (mail order / telephone order) transactions are classified as card-not-present payments, which are processed differently than card-present transactions in a traditional retail environment. They generally require a virtual payment gateway where you can manually enter payment details.
When fully integrated into your existing systems, you can launch this gateway within your existing transaction workflows. Otherwise, you’d need to open a separate application to enter the payment amount and card details and send it to the authorization network. The more your systems are connected, the less manual data entry is needed, and the simpler reconciliation becomes.
We’ll talk in more detail about PCI compliance later, but an important rule of thumb to keep in mind: the fewer places your own systems touch cardholder data, the easier it is to meet your obligations. If you accept payments by phone in a way that reduces the number of places your systems touch sensitive information, you’re setting yourself up for success.
To that end, IVR (interactive voice response) is an additional option that can be layered into phone processing workflows. With IVR, the customer enters their own card details on their own telephone keypad. Agents never hear or see card numbers or CVVs, which keeps them out of PCI scope. Meanwhile, customers gain more control over who has access to their payment data.
Tokenization is another critical feature to look for. The first time a customer pays you, you can place their card “on file”. However, you don’t actually store the physical card number, CVV or card expiration date in your database or on your server. Instead, you store a token that you can reference the next time they call in an order. Phone reps can charge the card on file instead of asking the customer to read out the card number again, making credit card payments over the phone faster and safer.
Step 2 – Evaluate Fees
This may be more of a 1b than a truly separate second step, but now is an ideal time to ask about the fees for taking card payments over the phone. MOTO transactions typically have higher processing rates than in-person transactions. However, your solution provider may be able to help you negotiate better rates for all your credit card transactions – whether card-present or card-not-present. For instance, Level 2 and 3 processing can be applied to phone orders, and a minor change in the amount of data passed at the time of settlement can lead to considerable savings for qualified transactions.
Step 3 – Consider PCI DSS Compliance
One of the most important considerations for accepting credit cards over the phone is making sure you remain PCI compliant. The simplest approach is outsourcing the processing function to a Level 1 PCI service provider; they handle the heavy lifting for you. You’ll still need to complete an annual SAQ (Self-Assessment Questionnaire), but your PCI scope can be dramatically reduced. If you choose to manage more of the payment processing functions in-house/on your own systems, you’ll have to manage all of the security controls yourself – and report on a much broader scope when it comes time for your SAQ.
Friendly reminder: no matter which route you go, be sure to validate your plan with a Qualified Security Assessor (QSA) to ensure your phone payment process meets all PCI DSS requirements.
Step 4 – Design Your Phone Order Workflow
When you start accepting credit cards by phone, decide where in your order process you want to capture/process payment details. Is it after you create an order with a quantity and price in your order entry application? After you receive a signed quote or purchase order and update the existing order in your ERP? Or, for refunds, where would you want to initiate a credit if a customer calls in to request a return or exchange?
Once you’ve mapped out when and where these transactions should occur, work with your solution provider to execute.
Step 5 – Evaluate and Implement Fraud Protection Settings
Telephone payments generally come with a higher risk of fraud than card-present sales. As a result, it can be helpful to build in security measures – such as address verification – as part of your conversation with your solution provider. Ask what options they natively offer – or what recommendations they have for third-party solutions – and evaluate your own thresholds for risk.
Step 6 – Train Your Phone Agents
Once you’ve got the infrastructure in place, start training the team who will take card payments by phone.
A typical walkthrough might look like this:
- Answer the call
- Confirm order details (e.g., quantities and prices) in your primary order entry application
- Enter new payment details, select a stored card token, or send the customer into an IVR flow
- Wait for an authorization (or card declined message) and verbally confirm the result with the customer
- Email the customer a receipt
- End the call
If desired, create a script for your agents to follow with prompts for each key step.
Step 7 – Prepare for Ongoing Security and Compliance Initiatives
Once you start to take phone payments – even if you’ve already cleared your plan with a QSA – you’ll need to start including that environment in your annual PCI compliance reporting. (That may even include a separate SAQ specifically for your phone order infrastructure.) However, if you choose a solution that lets you offload the burden to the service provider, you can complete one of the shorter SAQs for that environment (as opposed to the much longer SAQ D). It’s not a “set it and forget it” situation, but with the right strategy, you can make your routine obligations a days-long process rather than a weeks-long one.
Start Accepting Credit Card Payments Over the Phone with Curbstone
Accepting credit card payments over the phone can be fast, secure, and fully PCI compliant – if you integrate payments into your workflow, thoroughly train your team, and work with the right solution provider. Curbstone offers solutions purpose-built for taking payments over the phone without storing sensitive data on your systems – making the entire process much easier.
Want to learn more? Contact us today to start exploring your options.
