It’s not uncommon to take payments by phone. Whether you’re a small business, a charity, or a large retailer; there may be situations where your customers need to make a payment over the phone. However, if you are taking payments by phone, there are a few things that you need to keep in mind to make sure that you take payments in a secure and PCI compliant manner.
Understand Your Processes
Even if you don’t need to have a cardholder data flow diagram as part of your PCI requirements, we recommend making sure that you keep diagrams for all of your card flows. This makes it easier for you to understand exactly where credit and debit card numbers may be in your processes and systems, and to understand any areas of risk that need to be protected.
Protect the Call
Once you’ve decided that you’re going to take payments over the phone, the first thing to do is to understand what this might mean for your PCI scope.
If you’re using VoIP, it’s very likely that this system will be in-scope. That means that you need to make sure that all the phones and servers are managed a PCI compliant way. Now, you might not want to have to apply your PCI controls to every single phone system in the office. You could have two different VoIP systems, or you could take other steps to limit the scope.
And if you’re using soft phones (software running on your computer), make sure you’re considering these too since they are also likely to affect your PCI scope.
Even if you’re redirecting calls temporarily off to a cell phone, you should make sure that it is fully patched, has a passcode on it, and is configured to encrypt the data.
Protect the Recordings
It’s not unusual to have calls recorded for quality and training purposes.
If You Don’t Need It, Don’t Store It
One of the first things to keep in mind is whether you can prevent any call recordings that have credit card data in them from being stored. This could include:
- Training staff to pause recordings when customers are providing their payment details
- Having an automatic pause on call recording when your staff taking the payment information goes to the payment page.
- Have a process to redirect your customer to a PCI compliant solution for them to enter their payment information via an IVR or similar (but if you do a redirect, make sure you’ve secured it).
In general, these things don’t tend to be 100% fool proof, so always make sure you are doing spot checks to identify any accidentally stored cardholder data (and hopefully find ways to improve your processes).
Limit Access & Encrypt Recordings
As another layer of protection, you should always make sure that your recordings are protected. Use the built in features of the call recording program, or the features of your operating system / identity management system.
Make sure to limit playback and downloads of calls. And if you can, configure the system to encrypt any storage of calls. This way, even if you do end up accidentally storing cardholder data, you have already taken steps to protect it.
Protect the Payment
Make sure that your staff are entering payments directly into a PCI compliant form (maybe even one hosted by a payment gateway) or into a validated Payment Application. Making sure that the transaction is secure at all times is vital.
Train Your People
Whether it’s one person or one hundred people who are taking payments over the phone, the most important step you can take is to make sure that people are trained to know understand not only how they can protect cardholder data, but also how they can be secure. Good people are the best first-line defence to protect your payments.
Staff should be trained in both basic security and in how to protect payment information if they are dealing with it. For example, this might include:
- Making sure that you don’t write card numbers down
- If you do have to write them down, making sure they are securely disposed of immediately
- Making sure that staff know that they should never type card numbers into parts of a form that aren’t meant for it (for example, a comments field or similar)
- Make sure you consider how you are protecting your VoIP systems and any soft phones. These will likely be part of your PCI compliance environment since you would transmit cardholder data across them.
- Make sure you protect any call recordings.
- Try not to store card data in call recordings
- Do spot checks to make sure you aren’t storing cards
- Use access controls and encryption to minimise any residual risk.
- Only enter payments into a PCI compliant payment form or IVR.
- Train your staff to make sure they understand how to take payments securely over the phone.