PaulDotCom mailing list archives
Credit Card Acceptance Over the Phone
From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Tue, 11 Aug 2009 09:49:26 -0500
There are lots of different ways this can be handled, but I've never seen any kind of best practices for it. Regarding PCI, the big thing here is to think about the intent of the standards rather than what it literally says. The standard was written with computerized handling in mind, and while most of the concepts carry over to manually card handling, they're not always worded the best. Here's a few key things to remember: 1. Document, document, document. Have policies in place that spell out exactly who does what, how card data is to be handled, how it is NOT to be handled, how it is to be disposed of, in what cases it can be stored and for how long. I've heard several QSAs say that the amount of effort the merchant's put into trying to be safe makes a huge difference on how VISA fines them after a breach. Don't leave anything to chance. 2. Train everyone involved well enough so that they understand not only their role, but the reasons for the security and the possible implications of failure to comply. We do quarterly training with several larger customers just to always keep it in their minds. You should also require employees to sign a sheet verifying that they've been trained & understand the risks. 3. Understand the business motives for the choices you make. This goes along with documentation, but be able to explain and justify why your procedures are in place. Especially if you determine that a particular piece of your plan carries risk, be able to explain why the risk is necessary. 4. Regularly check up on the employees involved. They should know that the responsibility included with this job means that they may occasionally be monitored without warning. Ideally this should include recorded video. 5. Make sure your phone system is secure. Don't use cordless headsets, if you use VOIP, be absolutely certain that it's either physically separate or well segmented from the rest of your network. If it's not, then you're entire network just became in-scope. 6. Limit access to only those who need access. This includes access to the phone system that receives the calls, storage locations, the data itself, etc. 7. Separate roles as much as possible. The person taking the card number should be different from the person who stores the number (if necessary) as well as the person that does the monitoring. 8. If storage is necessary, require multiple people to access it. A simple solution is a safe that allows envelopes to be deposited through a slot, but requires multiple keys to be opened. 9. It's also a good idea to have employees handling the card data undergo background checks. I know of one particular business that does a LOT of phone transactions. Because of the volume, they actually do regular credit checks on their employees in order to watch for certain warning signs. One piece of advice I give to all of our customers is just to know your employees personally. If it's a larger business, spend time training your managers to know their employees more personally. If you are friendly and personable with the people who work under you, then you're going to know which ones are more likely to try to get away with something. You're also going to be more likely to know when certain life events happen that might make someone more vulnerable to temptation or even just less aware of what they're doing. People don't throw off events and alerts like a computer does, so if you're going to manually take credit cards, then you've got to put a lot more work into monitoring your system. -- Nathan ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Kevin Shortt Sent: Tuesday, August 11, 2009 8:43 AM To: pauldotcom at pdc-mail.pauldotcom.com Subject: [Pauldotcom] Credit Card Acceptance Over the Phone Hi Everyone, I have a client interested in accepting credit cards over the phone for purchases. (as an alternative to the current ecommerce in place). I'm interested in feedback on the risks to an organization when an employee of that organization handles the credit card data from the customer. What type of measures are typically taken prior to implementing this process? For example, since the employee/agent is capable of skimming data, then what can the organization do to protect itself? (I.e. policy, NDA, etc..) I'm looking to for the best practice and norms.. Links of sites to read would be great too... Thanks. -Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090811/00f05e50/attachment.htm
Current thread:
- Credit Card Acceptance Over the Phone Kevin Shortt (Aug 11)
- Credit Card Acceptance Over the Phone Vincent Lape (Aug 11)
- Credit Card Acceptance Over the Phone Tim Krabec (Aug 11)
- Credit Card Acceptance Over the Phone genesiswave at gmail.com (Aug 11)
- Credit Card Acceptance Over the Phone Nathan Sweaney (Aug 11)
- Credit Card Acceptance Over the Phone David Freedman (Aug 11)