The latest PCI guidelines: How to securely collect payments by phone

The latest PCI guidelines: How to securely collect payments by phone

Consumer advocates have finally gotten what they wanted on the consumer mobile payment front: a new set of rules from a key industry standards group that will guide businesses that collect credit card data over the telephone. Consumer advocates have long claimed that merchants were asking customers for personal financial data that they didn't need -- and, by doing so, they were putting customers at risk for identity theft. 

The industry body is the PCI Security Standards Council, and the mission of the Wakefield, Massachusetts-based securities group is to provide direct recommendations to merchants for securely handling credit card payments.

Recently, the council released new security guidelines in a report titled, "Protecting Telephone-Based Payment Card Data Information Supplement." The report is primarily aimed at businesses with telephone call centers and focuses on specific areas they need to address to ensure that they're processing credit card transactions safely, accurately and securely.

"The interpretation and application of PCI requirements for call recording systems has been a focus for merchants this past year," says Bob Russo, general manager with the PCI Security Standards Council. "Merchants want to know what data they need to protect and how to do it. This new guidance helps them understand the right questions to ask and the steps needed to secure their cardholder data."

What does the new PCI guidance recommend for merchants? Here's a rundown:

• New rules on PCI DSS: The PCI Council breaks down how the Payment Card Industry Data Security Standard (PCI DSS) applies to customer credit card data in merchant call center systems and clarifies specific PCI DSS requirements that merchants need to adhere to.
• Rules and guidance on consumer/merchant voice recordings: The council has also laid out rules on the potential risk and security controls that merchants are using when handling customer credit card transactions. It does so through a step-by-step flow chart that explains how businesses can meet PSI DSS regulations on voice recordings related to credit card transactions.
• Fresh tips for call center operators: The PCI Security Standards Council also establishes "best practices" for call center managers and staffers.

Above all, council leaders want merchants to hang on to only the data they absolutely need to process phone-based credit card payments. "As with all transactions, we have a standard saying, ‘If you don't need it, don't store it,'" said Jeremy King, European regional director for the PCI Security Standards Council, in a recent podcast sponsored by HealthcareInfoSecurity.com. "And really that applies into this sector as well."

As an example, King cites the three-numbered CVV (or CVC) code often used by merchants to verify a card's authenticity. King says that while the verification can be included on phone-based credit card transactions between merchants and customers, that number is considered "sensitive" and should not be stored by businesses.

"We classify [the voice recordings] as card-not-present transactions," said King in the podcast. "That means, usually, in addition to the card number, the CVV code is given, and this is sensitive authentication data that does not need to be and should not be stored."

Consumer advocates have long held that telephone-based credit card transactions are particularly vulnerable to identity thieves and other financial fraudsters. That's especially true of call center payments (which are usually recorded) that have historically fallen outside the review of regulators.

But with new guidance directed at merchant call centers, the PCI Security Standards Council is taking dead aim at telephone payments -- the more secure, the better, they say.

See related: 5 ways to reassure your customers about payment security; PCI data security standards: What they are and why they matter

Published: May 10,2023