It’s important to be able to accept credit card payments over the phone. The COVID-19 crisis has made it even more essential, as much in-store business is now being conducted online or over the phone.

When you’re taking phone orders, you can be more at risk for credit card fraud and need to take additional precautions. You also need to take additional precautions to protect the security of your customers’ credit card information, as required to maintain PCI compliance.

Get as Much Information as Possible

Let’s deal with the fraud issue first. When you’re taking a credit card payment over the phone, you do not have the credit card in hand, which makes the transaction riskier than one where you physically see the card. Chip card transactions offer the best protection against fraud, of course, but even swiped transactions are safer than ones taken over the phone where you do not have physical possession of the card.

To make your phone-based transactions as safe as possible, you need to get as much information as possible from the customer. The more information you obtain, the lower your risk of processing a fraudulent transaction.

At a minimum, you want to get the following information from the customer over the phone:

• Full credit card number
• Full name as it appears on the card
• Expiration date
• CVV security code
• Customer’s complete billing address, including ZIP code
• Customer’s phone number

For an added layer of protection, you can also ask for the same information you require when accepting payment by check. This includes the customer’s date of birth and driver’s license number.

If the customer can’t supply any of this information, it’s a sign that the person making the purchase may not be the legal owner of the card – and you should not accept payment.

Be On Alert for Unusual Details

Many fraudulent phone orders come with questionable details on the part of the “customer.” One common sign of fraud is if the billing address and the shipping address are different. Fraudsters using a stolen card registered to a person in one location will ask for the goods to be shipped to their address, typically a much different location. If the addresses don’t match, beware.

Don’t Record the Call

To accept credit card payments of any type, your business needs to comply with the Payment Card Industry (PCI) Data Security Standards. PCI compliance is all about keeping customers’ credit card data secure from theft, and it applies no matter what types of payments you accept – in person, online, or over the phone.

One of the keys of PCI compliance is that certain customer information, such as the CVV, not be retained post-authorization. For this reason, you can’t record phone calls that contain this information. The recording would be a form of data storage not allowed by the PCI standards.

So if your phone system automatically records all phone calls, turn off the recording when the customer relays his or her credit card information.

Never Write Down Card Information

The prohibition against retaining CVV and other data also applies to any notes you might create while taking a credit card order. It may be tempting to write down the information that the customer provides over the phone, but that puts you at risk for PCI non-compliance. Even if you just jot the CVV down on a Post-it Note that you intend to throw away afterwards, that’s still against PCI regulations.

The better approach is to enter the customer’s credit card information directly into your terminal or POS system without writing it down first. This eliminates the risk of leaving customer data out in the open where it may be found by thieves. If you must write down the customer’s CVV, shred the paper immediately after use.

Train All Employees on the Proper Procedure

Finally, all employees who accept credit card payments over the phone need to be informed of these important procedures. One slip up could put your business at risk of criminal fraud or PCI non-compliance. Make sure everybody knows what they need to do!