Listen to: "A Guide to Keeping Phone Orders PCI Compliant"
If you accept payment cards through any transaction channel, you are bound to be compliant with the Payment Card Industry Data Security Standards or PCI DSS. To begin with – let’s talk about what we mean when we talk about the transaction channel. If you take payment card information over the internet, we would consider that the e-commerce transaction channel.
PCI lingo refers to transaction channels are being “card present” or “card-not-present”. Card present transactions require the card to complete such as retail stores where you swipe your payment card to make a purchase. Card-not-present transactions require other validation that you are the cardholder. You may have to provide the expiration date on the card or the CVV value (card verification value), which is a code on the back of the card that should not be known by someone other than the cardholder.
Telephone orders are card-not-present transactions; however, they are often significantly different than e-commerce transactions. One big difference is telephone payments usually require a call center or contact center agent to be involved (this is not the case for payments made through an interactive voice response unit or VRU). This brings a human element into the process that is not part of the e-commerce channel.
The flow of the transaction for telephone orders can have multiple configurations and the PCI implications of each type of configuration need to be considered. For example, the flow of the telephone transaction may include:
- An IP-based phone system,
- The call center/contact center agent,
- An order entry application that may or may not be publicly accessible,
- Call recordings where payment card information is recorded,
- Pin pads where agents enter payment card data,
- Interactive voice response unit where the customer can enter the payment card information without human interaction.
Depending on how much of the above you use, complying with PCI for telephone-based payments can be seriously challenging. Physical security of the call center/contact center is also within the scope of a PCI DSS assessment as are the Human Resources involved in taking payments over the phone.
How to Stay PCI Compliant with Phone Order Transactions
Fortunately, we have some tips to stay in compliance for telephone-based systems taking payment cards.
1. Understand Your Scope and Your Data Flow.
Make sure you understand what the scope of compliance to PCI is. As mentioned, telephone transactions may traverse your network if you use an IP based phone system (which most are today). Order-entry systems where the payment card data is entered are in scope as are the network segments they travel across and any connected systems that are not properly segmented.
Call recording systems are in scope if they record full payment card information.
2. Keep Your Network Secure.
Network security is a big part of PCI compliance. Cardholder data must be protected from untrusted networks. Network segmentation is not strictly speaking required, however, the entire network and all system components are in scope if not segmented. PCI requires hardened configurations. Penetration testing is also likely to be required.
3. Use A PCI-Compliant Phone System.
Call recordings containing payment card information need to be protected by access controls, network segmentation, and encryption. If CVV is recorded that’s a problem for PCI since CVV may not be retained post-authorization, even if well protected and encrypted.
If your business records customer phone calls, make sure that there is a way to redact credit card information. Ideally, your call recordings will use a system integrated with the order entry system and pause the recording when the agent gets to the payment page and resume recording after the card has been entered.
Manual pause/resume should be subject to periodic QA review to ensure the pause is effective to prevent payment card data from being recorded.
4. Never Write Down Card Information on Slips Of Paper.
There may be times you or your agents are tempted to jot down a number on a post-it while you’re on the phone and then process the order later on. However, notes like this are not secure and can expose you to the risk of data loss. To cope with incidents where this may be necessary, consider issuing whiteboards to each agent. These boards should be secured to your agents’ desks and cleaned regularly.
Instead, always enter credit card information directly into your payment processing system. This ensures that you are using a system for orders that properly protects customer orders and does not expose them to accidentally misplaced information.
If payment cards are written on order forms perhaps as part of a system downtime work-around process (which I don’t recommend), ensure that the forms are redacted, or properly shredded after order entry.
5. Create A “No Mobile Phone” Rule.
Mobile phones in your call centers can be a source of data leaks. Unscrupulous agents could use their phones to capture customers’ card data. By banning personal mobile phones from the workplace, you can ensure that sensitive data does not wind up on an employee’s phone.
6. Order-Entry System Scope Reduction
Once an agent receives the payment card data he/she has to put the card number somewhere, for example, an order entry system. The order-entry system may be the start of the spread of the full payment card number. Remember everywhere the full card number goes is in scope (along with all system components connected to those). If the full card is stored, it must be protected by access control, encryption, logging, and monitoring among other controls.
If possible, configure your order entry system to connect directly to payment processors so that the full card number never resides on your system components (using an Iframe connection or by entering payment card numbers into point of interaction devices that will immediately encrypt the payment card information.
7. Train All Employees on Safe Procedures.
Every employee’s training should include a run-down of all processes needed for PCI compliance. Make sure that they understand, for instance, that they should not use one another’s login credentials and that they should protect their passwords. During training, explain why these requirements exist and what the penalties are, for both your company and individuals working there if they are not met.
8. Monitor Employee Procedures And Offer Refresher Courses.
It is also necessary to periodically check to make sure that procedures are being followed. Refresher courses can help ensure that people working on phones have not forgotten the rules that apply to them. With these periodic reminders, they are less likely to fall into bad but convenient habits when they are busy.
You should have a procedure in place for dealing with employees who engage in risky behavior. A combination of retraining and disciplinary action should be written into employee handbooks and enforced when necessary to keep all data safe.
By dealing with both the human and digital elements in your phone order system, you can ensure that you always remain PCI compliant and that your customers’ data remains safe and secure.
Expert Assistance for PCI Compliance
Not sure where to start? We can examine your current procedures and help you create new ones that keep your company compliant with credit card processor rules at all times. Request a quote or call us at (215) 675-1400 to discuss your compliance needs for PCI DSS and the GDPR.