The Payment Card Industry Data Security Standard (PCI DSS) outlines the security regulations for any merchant that accepts credit card payments. There are different regulations for any card payment implementation, on any channel. Merchants who accept MOTO (mail order/phone order) payments must meet specific requirements to account for the fact that card-not-present telephone transactions pose more risks than standard card-present transactions – both for the merchant, who has to protect their organization from card-not-present fraud, and for the customer, who needs peace of mind that the merchant is protecting their data in an appropriate way.
The Basics
In PCI terminology, an environment where credit cards are processed over the phone is considered a “telephony environment.” This can be a traditional office, a call center, or even a remote employee’s home workspace.
For the purposes of PCI compliance, these environments include:
- The hardware and software systems that the merchant uses to accept credit card payments (e.g., order entry software; workstations or mobile devices that run virtual terminals; and/or an IP-based phone system), as well as any call recordings that contain payment card information
- The other systems to which those technologies are connected (e.g., a corporate intranet or shared network directory server) – even if those systems are not actively involved with credit card processing
- The people who come into contact with cardholder data during or after a transaction
Businesses that accept credit card payments over the phone must use (and report on) appropriate security measures for all of these components.
PCI-Compliant Best Practices for Accepting Credit Cards Over the Phone
Merchants have some flexibility in the specific measures they use to secure their environments. (A Qualified Security Assessor can provide tailored recommendations for satisfying specific regulations.) However, the Payment Card Industry’s best practices for credit card processing by phone include:
- Make sure all employees who have access to customers’ credit card data undergo a background check or comparable form of screening.
- Make sure all employees – whether or not they have direct access to customers’ credit card information – complete regular security training.
- Only provide access to credit card data on a “need to know” basis. (For instance, allow sales representatives to enter credit card data when processing a transaction, but do not allow customer service teams to access this information after the fact.)
- Make sure only authorized users have access to your hardware, software, and workstations.
- Create policies to prevent payment card data from unauthorized access. Make sure these policies specifically address remote workers and the use of cell phones in your processing area, if applicable.
- Use strong encryption protocols to protect cardholder data when transmitted across public networks.
- Make sure remote workers use multi-factor authentication and a VPN when connecting to your systems.
- Do not store authentication data, such as CVV codes. (This includes call recordings where the customer reads out their CVV code to the phone agent.) While it is best practice to use this information to validate card-not-present payments, PCI regulations state that it must be made unrecoverable after the transaction is authorized.
- Do not allow direct connection between systems that store call recordings and the Internet.
- Ensure that employees are only using company-approved hardware (e.g., workstations, mobile phones, and telephone handsets).
- Implement controls to prevent the unauthorized transmission of call recording data.
- Make sure firewalls and virus protection software are installed and up to date.
- Run regular patches and updates as they become available.
- Make sure users cannot disable your security controls.
- Complete your quarterly vulnerability scans.
While these best practices are a great place to start, there are a few additional measures you can consider to help your business better protect telephone-based payment card data.
Don’t Write Down Card Numbers on Paper
While it is technically possible to store card numbers on paper and be PCI-compliant, doing so consistently is easier said than done. (For instance, leaving a customer’s card number written on a post-it note on the side of a workstation does not comply with the DSS.) Entering cardholder data directly into your payment processing software reduces the risk of unauthorized access.
Use Tokenization to Secure Your Credit Card Phone Orders
When you accept an order over the phone, you can create a token to store on your system in place of the full primary account number (PAN). This lets customers place a card on file for future orders, while helping you meet PCI regulations for storing PANs. Returning customers don’t have to read you their card number and security code each time they call in, and your phone agents don’t have to re-enter the same information for each transaction. Meanwhile, the tokenization provider deals with the technical aspects of securing the data behind the scenes.
One thing to keep in mind: if you accept credit card payments on multiple channels, you’ll want a tokenization system that lets you re-use tokens in multiple places. (For instance, if a customer makes their first purchase online, then calls in to re-order, you’ll need an omni-channel tokenization solution to let your phone agents re-use the token from the original online order.)
Use IVR Technologies to Limit Data Exposure and Reduce Your PCI Scope
IVR (interactive voice response) software lets customers enter their own cardholder data using their telephone keypad instead of saying it out loud to a phone agent. (PCI considers this an “unattended transaction”; it may let you take your call center out of scope for your reporting.)
Learn more about the security implications of IVR credit card processing.
Isolate Your Payment Processing Solutions from the Rest of Your Network
As noted earlier, any part of your system that touches your payment processing infrastructure – even if the technologies aren’t actively involved with transactions – needs to be included in your annual compliance questionnaire. However, parts of your system that don’t touch your payment processing infrastructure don’t need to be reported on. If you process credit card transactions on a solution that doesn’t touch other parts of your network, you can considerably reduce your reporting requirements.
Proving Compliance with PCI Phone Order Regulations
Once you have your phone order processing infrastructure in place, you’ll need to complete an annual PCI Self-Assessment Questionnaire (SAQ) to document your security efforts. You’ll need to submit the completed forms (along with any other necessary documentation, such as a copy of your completed vulnerability scan results) directly to your acquirer. In some cases, payment brands such as Visa and Mastercard may ask you for this information as well. Acquirers often charge non-compliance fees to businesses who do not provide this documentation.
Reduce Your Compliance Burden with Curbstone
At Curbstone, we’ve helped hundreds of merchants securely process credit card transactions for their phone orders. (Many of these merchants have even been able to remove their call centers from their PCI scope and avoid the time-consuming SAQ-D.)
Whether you’re already processing MOTO transactions and looking for a more secure way to do so or just getting started for the very first time, we’ll help you develop a PCI-compliant strategy for accepting credit cards over the phone. Contact us today and we’ll help you explore all of your options.
