If your business collects and handles customer credit card information over the phone, you must be PCI compliant. Failure can have severe consequences, including fines, card replacement costs, reputational damage, or a damaged relationship with your merchant provider.
Take credit card payments over the phone but are unfamiliar with the PCI Data Security Standards (DSS)? Trying to parse the PCI DSS on your own can be tough—read our guide to make achieving PCI compliance over phone payments easy!
What is PCI Compliance?
PCI compliance refers to meeting the PCI Data Security Standards (DSS), which were set by the PCI Security Standards Council (SSC) in 2006. The PCI SSC was founded in response to the growing number of cyberattacks in the 2000s with the objective of protecting consumers from cyberattacks. In the years since it was founded, the PCI SSC has regularly updated its data security standards. They’ve been consistently updating the standards to ensure that cardholder data stays private.
While PCI compliance is not legally enforced, it is required in practice for every business that accepts credit card payments. This is the case because every business that accepts credit cards has an agreement with a merchant that facilitates those transactions. These merchants are the practical enforcers of the PCI DSS. Before agreeing to work with you, they’ll require you to sign a contract that legally demands your PCI compliance. Failing to meet these requirements can lead to fines, reputational damage, or legal consequences.
Want to Get More Info On PCI Compliance?
How Does PCI Compliance Connect With Phone Payments?
Many business owners mistakenly assume that the PCI DSS only applies to point-of-sales systems and digital transmission of cardholder data. In reality, if your business handles card numbers at any point (including phone transactions), you must meet card industry data security standards.
Phone processes are especially unique because they’re card-not-present transactions with distinct factors. Phone payments are typically conducted through a call center agent that helps facilitate the transaction. All of these factors combine to make phone transaction systems extremely complicated. The process of a phone credit card transaction involves a huge variety of factors:
- Unique IP Phone Systems
- Human Agents or Representatives
- Call Recordings
- Voice Response Units
When compared to relatively simple digital payment routing, maintaining PCI compliance over phone payment systems can get very complicated and, in many cases, involves third party providers (such as the VoIP provider) of which you have little to no control over.
How to Achieve PCI Compliance Over Phone Payments
What makes PCI compliance with phone payments especially challenging is the huge variety of factors involved. You can break up these factors into three distinct categories:
You need to make sure that all three of these categories are locked down. When compared to more straightforward payment card systems, phone payment systems introduce a brand new range of elements. Not only is there the human element that you have to suddenly be concerned about, but there are all of the processes associated with how they handle the data itself. Are your workers writing down credit card numbers physically? Are they entering them into some kind of system? Are the processes even consistent from one employee to another?
As you can probably tell, staying PCI compliant with a phone payment system is a tall order. If you’ve felt these struggles personally, follow these tips to make sure that your business is able to stay PCI compliant.
Review the PCI DSS Requirements
To meet the PCI requirements, you must first understand the PCI requirements. Review the full list of the PCI Data Security Standards and familiarize yourself with its rules and regulations. Specifically, look at sections that describe taking credit card payments over the phone and the regulations involved with that.
These sections are going to be some of the most relevant to your business and should help you understand what it is that your business needs to be doing. Take your time to make sure that you understand the requirements, and then communicate with your merchant. The level of PCI compliance differs slightly depending on which merchant you’re partnered with, so make sure that you’re on the same page as your partner. While more cybersecurity policies are never a bad thing, they can be difficult to implement alone.
Evaluate Your Team
employees are going to handle a process the same, and this inconsistency leads to a huge range of unique issues to iron out across your staff. While it is resource-intensive, human capital has to be examined on a case-by-case basis. Try speeding this process up with software. Set up technology that tracks worker behavior like:
- Action Completion
- Process Flow
This software could help you identify which parts of your process are going well and which need improvement. Additionally, they can help you identify patterns in behavior. Are there any security mistakes that employees are consistently making? Make sure to use this time to thoroughly examine your employees before making any decisions. Data is most useful when gathered over a longer period of time.
Foster a Security-First Culture
Now that you’ve reviewed the PCI DSS and better understand your employee processes (and mistakes), it’s time to take action. Start by simply informing your employees of the changes to come and the reasons for the change. Explain to them the importance of PCI compliance, and make sure that they understand what can happen to your business (and their jobs) if you fail.
Outline a set of new processes and host training sessions that your employees can attend. Remember that change is a gradual process, and trying to force employees to make this adaptation immediately could lead to friction and conflict within your organization. Ease them into this training process. Explain why your organization is implementing it, and why it’s better for them in the long run.
Many business owners make the mistake of talking down to their employees—make sure to avoid this. Employees appreciate being treated as peers, especially in the modern workforce.
Review Your Processes
Follow our steps above, and you should have worked to improve one aspect of your phone payment system—the people.
However, your employees can be robotically consistent and it won’t matter if they’re following the wrong processes. Having the right processes in place is key. Want to improve your PCI compliance over phone payment systems process but don’t know where to start? Here are some tips:
- Never write down card information:
- Implement a “no phone” rule:
- Regularly monitor network security:
- Install the right software:
Lock Down Your Technology
The final piece in protecting against data breaches and meeting the PCI DSS comes with technology. Implement the right technology into your business:
- Access Controls
- Network Controls
- Security and Penetration Testing
In fact, the PCI DSS recommends many specific technologies for companies looking to restrict access and protect cardholder data. Check out the latest PCI Data Security Standards at this link.
Unfortunately, the fight against cyberattacks is a constant arms race. The only way to make sure your company is protected is by making sure that all of your cybersecurity measures are recent and up to date.
Exceed the PCI DSS With PCI Compliance Services
Intimidated by PCI compliance? Failing to be compliant could have catastrophic consequences for your business. Understanding the full scope of the PCI Data Security Standards alone is hard, much less executing it. If you feel overwhelmed or intimidated by the prospect of handling this all by yourself, turn to PCI Booking. We offer numerous solutions that can help you simplify PCI Compliance. Our PCI Shield is an all-inclusive solution that can take close to the entirety of credit card responsibility out of your hands.
Alternatively, some companies don’t need help with the entire payment card process. If there are only a few parts that you need additional help with, consider our Orchestra option. Our Orchestra offerings are tailored to each client’s needs and can help you achieve PCI compliance.