Credit Card Acceptance Over the Phone

[NSweaney at tulsacash.com (Nathan Sweaney)]

There are lots of different ways this can be handled, but I've never
seen any kind of best practices for it.  Regarding PCI, the big thing
here is to think about the intent of the standards rather than what it
literally says.  The standard was written with computerized handling in
mind, and while most of the concepts carry over to manually card
handling, they're not always worded the best.

 

Here's a few key things to remember:

 

1.      Document, document, document.  Have policies in place that spell
out exactly who does what, how card data is to be handled, how it is NOT
to be handled, how it is to be disposed of, in what cases it can be
stored and for how long.  I've heard several QSAs say that the amount of
effort the merchant's put into trying to be safe makes a huge difference
on how VISA fines them after a breach.  Don't leave anything to chance.

2.      Train everyone involved well enough so that they understand not
only their role, but the reasons for the security and the possible
implications of failure to comply.  We do quarterly training with
several larger customers just to always keep it in their minds.  You
should also require employees to sign a sheet verifying that they've
been trained & understand the risks.
3.      Understand the business motives for the choices you make.  This
goes along with documentation, but be able to explain and justify why
your procedures are in place.  Especially if you determine that a
particular piece of your plan carries risk, be able to explain why the
risk is necessary.
4.      Regularly check up on the employees involved.  They should know
that the responsibility included with this job means that they may
occasionally be monitored without warning.  Ideally this should include
recorded video.
5.      Make sure your phone system is secure.  Don't use cordless
headsets, if you use VOIP, be absolutely certain that it's either
physically separate or well segmented from the rest of your network.  If
it's not, then you're entire network just became in-scope.  
6.      Limit access to only those who need access.  This includes
access to the phone system that receives the calls, storage locations,
the data itself, etc.
7.      Separate roles as much as possible.  The person taking the card
number should be different from the person who stores the number (if
necessary) as well as the person that does the monitoring.
8.      If storage is necessary, require multiple people to access it.
A simple solution is a safe that allows envelopes to be deposited
through a slot, but requires multiple keys to be opened.
9.      It's also a good idea to have employees handling the card data
undergo background checks.  I know of one particular business that does
a LOT of phone transactions.  Because of the volume, they actually do
regular credit checks on their employees in order to watch for certain
warning signs.  

 

One piece of advice I give to all of our customers is just to know your
employees personally.  If it's a larger business, spend time training
your managers to know their employees more personally.  If you are
friendly and personable with the people who work under you, then you're
going to know which ones are more likely to try to get away with
something.  You're also going to be more likely to know when certain
life events happen that might make someone more vulnerable to temptation
or even just less aware of what they're doing.  People don't throw off
events and alerts like a computer does, so if you're going to manually
take credit cards, then you've got to put a lot more work into
monitoring your system.  

 

-- Nathan

 

 

________________________________

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Kevin
Shortt
Sent: Tuesday, August 11, 2009 8:43 AM
To: pauldotcom at pdc-mail.pauldotcom.com
Subject: [Pauldotcom] Credit Card Acceptance Over the Phone

 

Hi Everyone, 

I have a client interested in accepting credit cards over the phone for
purchases. (as an alternative to the current ecommerce in place).    I'm
interested in feedback on the risks to an organization when an employee
of that organization handles the credit card data from the customer.
What type of measures are typically taken prior to implementing this
process?

For example, since the employee/agent is capable of skimming data, then
what can the organization do to protect itself?   (I.e. policy, NDA,
etc..)

I'm looking to for the best practice and norms..  Links of sites to read
would be great too...

Thanks.

-Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090811/00f05e50/attachment.htm