How to Collect Credit Cards Over the Phone Without Becoming PCI Compliant

Modern consumers often prefer to transact business digitally, but there are still times when they would rather speak to a live person. For many vendors this raises the challenge of how to take credit cards over the phone without being, or becoming liable to become, PCI-DSS compliant.

Keeping Phone Systems out of PCI Scope is Critical to Compliance

Many online merchants use a token vault strategy to keep their systems out of compliance scope, eliminating a substantial cost and resource burden while still properly protecting their customers’ PII. Allowing an insecure process to slip into the environment by carelessly accepting credit card information over the phone can undo all the effort dedicated to streamlining a company’s processes.

For those who have successfully built a low compliance-scope environment, then, it is vital to know how to de-risk accepting credit card information over the phone.

The Human Element is the Weak Link

Taking credit cards over the phone creates a card-not-present transaction, much like selling something through an e-commerce website. By contrast to that online sale, however, a transaction completed over the phone likely includes a human being on the receiving end, and their inclusion puts PCI compliance into jeopardy. If the phone operator, for instance, types Personally Identifiable Information (PII) into a computer system, they can put that system in scope for PCI; if they write the PII down on a piece of paper, that can represent a PCI violation, subject to spot fines and ongoing fines.

There is a technological risk also: many, if not most, call centers record phone conversations between operators and consumers, and including PII into those recordings can move the recording and storage systems into PCI scope. And while operators can, logically, pause recording during the portion of the phone call where they collect the credit card information, forgetting to do so even once can cause significant compliance jeopardy.

Technology To Avoid Storing Credit Card Information in the Wrong Place

Given the jeopardy in relying on operators not to write down, store, or otherwise record credit card information taken over the phone, the obvious solution is to avoid having them ever interact with that data.

In fact, the safest way to collect credit card information on the phone is to do it via keypad interactions on the customer side: the operator initiates a process on their end whereby the customer briefly interacts with an interactive voice response (or IVR) system, which collects necessary information, such as card number and CVV, with the operator closed out of this portion of the transaction.

The IVR can feed a back-end system, which encrypts and tokenizes the information, and executes the payment processing transaction with the relevant Payment Service Provider (PSP). While the operator may be able to see permissible information on-screen (the last four digits of the social security number, for instance, for identity verification), they are fully blocked from the process where the usable credit card information is delivered by phone.

Eliminating the Risk of Recording or Key Tone Interpretation

While the consumer is providing their credit card information over the phone through IVR, it is extremely important to avoid allowing the operator, or any recording system, access to tones that can be identified and decrypted into usable information. As each key on the phone keypad provides a different tone (which is how IVR is able to tell what is being sent to it) allowing these sounds to be usable by the operator, or stored in recordings, places the system back into PCI scope.

To create a system that does not generate risk, even as it allows customers to provide their credit card information by phone, vendors should use DTMF masking, which eliminates the risk of operators overhearing things they shouldn't, or recording systems committing usable data to tape.

Stay Compliant, But Out of Scope

Keeping and maintaining systems outside of compliance scope requires both strategic savvy and tactical execution. When accepting credit cards over the phone, vendors must ensure that neither human operators, nor recording systems, have access to protected PII.

This is most effectively achieved by shifting credit card entry to an IVR system using DTMF masking to ensure the security of the keypad input; and using a third-party tokenization provider like Basis Theory to ensure in-scope data remains secure but outside the vendor’s systems.