TL; DR – Yes, but it is advisable to stay on the right side of the law, as regulations like PCI DSS prohibit contact centres from taking, storing, and sharing specific kinds of payment data.
Card payments are now a staple for organisations, and many customers will refuse to do business with you unless you support card payments. In the wake of the COVID-19 pandemic, card-based payments are now central to small, mid-sized and large businesses alike. And if you can do it telephonically, without having the customer visit a physical store, even better.
It is estimated that by 2016, more than 1 million merchants accepted card payments over the phone.
But here, you might run into a crucial question – how safe are card payments when the details are exchanged telephonically? Are there specific regulatory norms to remember? Here’s what you need to remember.
Understanding PCI DSS as it Pertains to Telephonic Payments
The Payment Card Industry Data Security Standard or PCI DSS is an information security standard that requires organisations and their contact centres to protect cardholder data and manage vulnerabilities among other things. Your exact compliance requirements will depend on the volume of transactions processed annually – < 20k, 20k-1 million, 1 million-6 million, or 6 million+. But no matter which bucket a business is in, you need to restrict the data exchanged via telephone when accepting payment requests.
Data leaks or breaches due to information that was unnecessarily stored will count as non-compliance with PCI DSS.
Steps for Secure Telephonic Payments
It is advisable to minimise the customer’s payment data exposure as much as possible when speaking with an agent, even if you are a trusted and legitimate organisation. You never know who might be an insider threat, or if stored data is vulnerable to leaks. For this reason, contact centres must:
- Pause call recordings when the customer is sharing card details. You can use automation and voice recognition to trigger pause/resume whenever the customer utters a keyword like “card details”
- Mute or mask the CVV or CV2 number. This number is present as a dedicated security check, and external parties should not be privy to the number
- Use keypad payments where possible, using the same navigation system you would employ in an IVR. The customer directly enters the numbers into the telephonic interface, reducing your risk vector
- Equip your contact centre agents with a secure POS system. The system should be able to verify the details, often identifying if it’s someone else and not the legitimate cardholder trying to make a purchase
These measures ensure that telephonic transactions are as secure as any other POS channel, giving you greater flexibility when delivering customer experiences.
Further Tips
Large businesses might want to consult a PCI DSS Qualified Security Assessor, especially if they regularly conduct business via telephone. It is also recommended that you train agents on data privacy and security best practices so that they do not inadvertently write down payment information on a piece of paper, and use the right login accounts to trace payments if needed.
