To accept card payments over the phone securely:
- Use a reputable payment gateway capable of processing “Card Not Present” transactions.
- Verify the customer’s identity by asking them a series of security questions.
- Manually enter the transaction details into the payment gateway.
- Send the customer a confirmation receipt via email or text message.
- Comply with all PCI DSS requirements.
While that’s the condensed version, you may wish a slightly more detailed dive into exactly how a new business gets set up to take payments.
In the following sections, I will carefully explain the equipment needed to take card payments, procedural steps, safety measures, and best practices.
3 Ways to Take Credit Card Payments Over the Phone
If you’re new to payment processing, the three most common methods are traditional over-the-phone payments, using a virtual terminal, and issuing payment links.
I’ll explain these below:
- Traditional over-the-phone payments: First, you’ll need a payment gateway or merchant service to handle the financial transaction. This is a software platform obtained through a financial service provider, such as your business bank or a specialized payment processing company that allows you to manually input and process credit card details. Once you have this, you take the customer’s call, verify their identity through a series of predetermined security questions, and then enter their card details into your payment system. To wrap up the transaction, it’s standard practice to send the customer a receipt, either via email or text message, as a confirmation.
- Using a virtual terminal: A virtual terminal is an online interface that allows for the manual entry of credit card information. You can access a virtual terminal by signing up with a payment processor that offers this service as part of its business payment solutions. To use the terminal, log in through a secure web browser, manually input the customer’s card details, and initiate the payment. The system will generate a confirmation upon successful transaction approval.
- Issuing payment links: Payment links provide a way for customers to enter their own credit card information into a secure online form. Payment processors or dedicated payment gateway services can help you generate these links. Once created, send the link to your customer via email or text message. The customer then clicks the link, is directed to a secure payment page, and enters their details, which automates the payment process while enhancing security.
Regulations for taking credit card payments over the phone
Taking credit card payments over the phone can be a convenient and efficient way to sell your products or services, but it’s important to take steps to protect your business and your customers’ data. Here are some key security considerations:
- PCI DSS compliance: PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect credit card data. To accept credit card payments over the phone, you must use a payment processor that is PCI DSS compliant. This helps to ensure that your customers’ data is secure throughout the payment process.
- Data protection: UK law requires businesses to handle customer data responsibly. This means obtaining consent from customers to process their data and ensuring that any stored data is secured. When taking credit card payments over the phone, you should only collect the information that is necessary to process the payment, such as the cardholder’s name, address, and credit card number. You should also avoid storing credit card data unless absolutely necessary. If you do need to store it, ensure that it is encrypted and stored securely.
- Verification procedures: Implement basic anti-fraud measures by asking customers security questions to confirm their identity. This can be as simple as confirming the cardholder’s name, address, and the last four digits of their credit card.
- Record-keeping: Although it’s important to keep transaction records for accounting and customer service reasons, avoid storing sensitive cardholder data unless absolutely necessary. If you do need to store it, ensure that it is encrypted and complies with PCI DSS data storage requirements.
- Staff training: Ensure that any employees taking phone payments are trained in these protocols and understand the importance of security measures. A simple mistake can lead to data breaches and legal trouble.
Equipment and Software for Taking Card Payments Over the Phone
Before you take card payments, you’ll need some basic equipment. All of this will be provided, in most cases, by the company you choose to sign up with.
If you’re interested in our recommendations for the best business card machines, read our full article to find out.
Here are a few things to consider when choosing equipment and software for taking card payments over the phone:
- Virtual terminal: A virtual terminal is a software application that allows you to accept credit and debit card payments over the phone. It is typically accessed through a web browser or a mobile app. Virtual terminals are a good option for businesses that don’t need a physical card reader.
- Payment gateway: A payment gateway is a service that allows you to securely process credit and debit card payments. Payment gateways typically offer a variety of features, such as fraud protection and PCI compliance.
- Card reader: A card reader is a physical device that allows you to swipe or dip credit and debit cards. Card readers are a good option for businesses that need to accept card payments in person.
- Software integrations: Some virtual terminals and payment gateways offer integrations with other software, such as CRM systems and accounting software. This can help you streamline your business processes and save time.
Any equipment you buy in this area needs to comply with the Payment Card Industry Data Security Standard (PCI DSS).
How to Use a Card Machine for Taking Payments Over the Phone
Using a card machine to take payments over the phone is a convenient and secure way to process payments from customers who are not able to come to your business in person. Here are the steps involved:
- Initial setup: Make sure that your card machine is set up to accept phone payments. This may involve contacting your card machine provider or referring to your card machine’s manual.
- Initiate the transaction: On your card machine, navigate to the option that allows manual entry of card details.
- Get the customer’s card information: Speak to the customer over the phone and ask for the necessary card information. This will typically include the card number, expiry date, and CVV.
- Enter the amount to be charged: Manually enter the amount to be charged.
- Confirm the details: Confirm the entered details with your customer before proceeding.
- Execute the transaction: Press the button to initiate the transaction. The card machine will process the details and provide a transaction result.
- Send a receipt: Upon successful completion, you will receive a transaction receipt. It is best practice to send a digital copy of this receipt to the customer for their records.
Security measures: It is important to take security measures to protect your customers’ data when taking payments over the phone. Here are a few things to keep in mind:
- Do not store sensitive customer information unless absolutely necessary.
- If you must store sensitive customer information, encrypt it and store it in a secure location.
- Never write down or share customer card information over the phone.
- Use a secure communication channel, such as a virtual private network (VPN), when taking card payments over the phone.
- Train your staff on the importance of security when taking card payments over the phone.
How to Use a Virtual Terminal for Taking Payments Over the Phone
Step 1: Customer Initiation
Wait for the customer to initiate contact, usually by calling your business to make a payment.
Step 2: Access the Virtual Terminal
Log in to your secure virtual terminal interface. Ensure you are using a secure and PCI-compliant system.
Step 3: Navigate to the Payment Section
Once logged in, navigate to the area where you can manually enter payment details.
Step 4: Enter Transaction Details
Input the transaction amount along with the customer’s card details, including the card number, expiry date, and CVV. Make sure to enter these details as the customer provides them over the phone.
Step 5: Perform Additional Verification (Optional)
If your virtual terminal allows, perform additional verification steps. This could include matching the CVV or the customer’s postcode.
Step 6: Confirm Details with Customer
Before finalizing the transaction, verbally confirm all the entered details with the customer. This includes the payment amount and any additional charges or fees.
Step 7: Complete the Transaction
Click the ‘Submit’ or ‘Process’ button in the virtual terminal to complete the payment. You should see a transaction confirmation on your screen.
Step 8: Email Receipt (Optional)
If the virtual terminal offers the option, send an electronic receipt to the customer’s email address for their records.
Step 9: Log Out and Secure Your System
After completing the transaction, log out of the virtual terminal. Make sure to also secure your system by closing any sensitive information on your computer.
Step 10: Update Your Records
Finally, update your own business records to reflect the completed transaction. This could be in your accounting software or a secure transaction log.
What it costs to take phone payments in the UK
Taking card payments over the phone can be a convenient way to do business, but it is important to understand the costs involved. Here are some of the factors that can affect the cost of taking phone payments:
- Transaction fees: Payment processors charge a fee for each transaction processed. This fee can be a flat rate or a percentage of the transaction amount.
- Monthly or annual fees: Some payment processors also charge a monthly or annual fee for their services. This fee may cover things like customer support, fraud protection, and reporting.
- PCI compliance costs: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that businesses must follow to protect cardholder data. Complying with PCI DSS can involve costs, such as implementing security measures and undergoing audits.
- Chargeback fees: If a customer disputes a charge, the merchant may be charged a chargeback fee. These fees can be costly, so it is important to take steps to prevent fraud.
- Additional security features: Some payment processors offer additional security features, such as AVS and CVV checks. These features can help to reduce fraud, but they may come with additional costs.
The total cost of taking phone payments will vary depending on the specific payment processor and the features you choose. It is important to compare the costs of different payment processors before choosing one.
Here are some tips for reducing the cost of taking phone payments:
- Choose a payment processor that charges low transaction fees.
- Look for a payment processor that does not charge monthly or annual fees.
- Take steps to prevent fraud, such as implementing security measures and requiring AVS and CVV checks.
- Negotiate lower fees with your payment processor.
Is it safe to take card payments over the phone?
Taking card payments over the phone can be a safe process if appropriate measures are in place. The cornerstone of these measures is compliance with the Payment Card Industry Data Security Standard (PCI DSS). This globally recognized set of security requirements is crucial for any business that handles credit or debit card transactions, encompassing the acceptance, storage, processing, and transmission of cardholder data.
To achieve PCI DSS compliance, businesses must implement a variety of security measures, such as:
- Using strong passwords and security measures to protect their computer systems.
- Keeping cardholder data encrypted at all times.
- Only transmitting cardholder data over secure networks.
- Regularly monitoring their systems for security vulnerabilities.
Businesses can demonstrate their PCI DSS compliance by undergoing an audit by a qualified security assessor (QSA). QSAs are independent organizations that have been certified by the PCI Security Standards Council (PCI SSC) to conduct these audits.
In addition to PCI DSS compliance, businesses should also take steps to verify the legitimacy of their customers when taking card payments over the phone. This can be done by asking for information such as the customer’s name, billing address, and phone number. Businesses should also be wary of any customers who seem suspicious or who are asking to make large purchases.