A Guide to Keeping Phone Orders PCI Compliant

If you accept credit cards through any channel, you are most likely bound to PCI compliance requirements. However, many people feel unsure of how to stay within the guidelines when they are taking orders through channels like phone calls to or from your business. Do the same rules apply when you are manually entering numbers? How do you stay in compliance when there isn’t an automated system to back you up?

The good news is that the rules for phone orders are both clear and easy to adhere to. By keeping your process compliant and training everyone who works with credit card data on the applicable rules, you can keep your customers’ data safe and protect yourself from expensive fees and fines.

If you accept credit cards through any channel, you are most likely bound to PCI compliance requirements. However, many people feel unsure of how to stay within the guidelines when they are taking orders through channels like phone calls to or from your business. Do the same rules apply when you are manually entering numbers? How do you stay in compliance when there isn’t an automated system to back you up?

The good news is that the rules for phone orders are both clear and easy to adhere to. By keeping your process compliant and training everyone who works with credit card data on the applicable rules, you can keep your customers’ data safe and protect yourself from expensive fees and fines.

Keep your network secure.

No matter what software your business is using for phone orders, it must be compliant with PCI guidelines from one end to the other. Make sure that firewalls and virus protection are up to date. Keep traffic from unsafe hosts and networks restricted. Ensure that any component of your network that contains customers’ card data cannot be directly accessed from the internet.

Use a PCI-compliant phone system.

Under the rules from the PCI Security Standards Council, recorded phone calls are subject to the same rules as all other types of records that store customer data. If your business records customer phone calls, make sure that there is a way to redact credit card information. In some cases, a customer service representative will need to manually pause recording so that credit card numbers are not recorded and stored. In others, your CRM system will automatically pause so that the credit card number is protected.

Never write down card information on slips of paper.

There may be times you or your agents are tempted to jot down a number on a post-it while you’re on the phone and then process the order later on. However, notes like this are not secure and can expose you to risk of data loss. To cope with incidents where this may be necessary, consider issuing white boards to each agent. These boards should be secured to your agents’ desks and cleaned regularly.

Instead, always enter credit card information directly into your payment processing system. This ensures that you are using a system for orders that properly protects customer orders and does not expose them to accidentally misplaced information.

That said, there are some circumstances where your company may need to maintain paper copies of customers’ credit card information. If that is true of your business, make sure that the three or four digit CVV code is not stored with that data. These codes act as security keys for transactions; when merchants leave those together with credit card numbers, it makes it that much easier for data thieves to exploit the information.

Create a “no mobile phone” rule.

Mobile phones in your call centers can be a significant source of data leaks. In some cases, compromised phones can get on your network and infect it with spyware or other hazards. In others, unscrupulous agents could use their phones to capture customers’ card data. By banning personal mobile phones from the workplace, you can ensure that sensitive data does not wind up on an employee’s phone.

Train all employees on safe procedures.

Every employee’s training should include a run down of all processes needed for PCI compliance. Make sure that they understand, for instance, that they should not use one another’s login credentials and that they should protect their passwords. During training, explain why these requirements exist and what the penalties are, for both your company and individuals working there, if they are not met.

Monitor employee procedures and offer refresher courses.

It is also necessary to periodically check to make sure that procedures are being followed. Refresher courses can help ensure that people working on the phones have not forgotten the rules that apply to them. With these periodic reminders, they are less likely to fall into bad but convenient habits when they are busy.

You should have a procedure in place for dealing with employees who engage in risky behavior. A combination of retraining and disciplinary action should be written into employee handbooks and enforced when necessary to keep all data safe.

By dealing with both the human and digital elements in your phone order system, you can ensure that you always remain PCI compliant and that your customers’ data remains safe and secure.

Not sure where to start? We can examine your current procedures and help you create new ones that keep your company compliant with credit card processor rules at all times. Launch a chat session, send us a message, or call us at (215) 675-1400 to discuss your compliance needs for PCI DSS and the GDPR.

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (New Site)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.