Security practices if you accept credit cards over the phone
Accepting credit cards over the phone is a convenience and necessity for many types of businesses. Doing so can be risky, but there are measures you can take to mitigate your risk of fraud. Begin by opening a merchant account with a trusted payments processor who will help you understand how to most securely accept customer payments over the phone
Best practices for accepting credit card payments over the phone
As a rule, you should gather as much information from your customer over the phone as you can when taking a credit card payment. Doing so will help reduce your processing fees (interchange) as well as lessen the risk of processing a fraudulent transaction.
At a minimum, require that your employees ask your customers for the following when they’re taking a credit card payment over the phone:
- Full credit card number
- Full name as it appears on the card
- Expiration date
- Complete billing address, including ZIP code
- CVV (security) code, either on the back of the card in the signature panel or on the bottom front of American Express cards
Also, always ask the customer for his or her phone number so that you can follow up for more information if needed. Print and mail the paper receipt to the customer for their records. You can also email your customer a copy, if requested. Keep copies of all of this information—as well as the items in the list above—in your records until well after the customer has received an order and the transaction is complete (perhaps for a set period of time, such as 12 or 24 months). You’ll need all of this information in the event of a disputed transaction, so you can prove you did your due diligence to make sure the transaction was legitimate.
Beefing up your security practices
Be on alert if the billing address and the shipping address are different, especially if the two addresses are quite far apart geographically. Billing and shipping addresses that are far apart may be an indication of fraudulent activity, so be sure to collect as much data as possible.
For an added layer of security and deterrent against fraud, ask for the customer’s date of birth and driver’s license number and state for your records—similarly to the information gathered when accepting payment by check. Keep this information stored in a secure location and discard after the customer receives the order and the transaction is complete (perhaps for a set period of time, such as 12 months).
Remember that you’ll always need to uphold PCI requirements if your business accepts credit card payments by any means—the is particularly important when paper files and records contain cardholder information and/or personally-identifiable information. Work with your payments processor to implement the best processes for your specific business so you can continue to accept credit cards over the phone safely and securely while adhering to PCI established standards.