Payment Card Industry Data Security Standard Policy
(PCI – DSS Compliance)

Processing Credit Card Payments Over the Phone – Safely and Securely
Processing credit card payments for phone orders presents additional risk for credit card fraud.
This means additional precautions must be taken to protect the security of your customers’ credit card information and reduce the risk of fraud as required to maintain PCI compliance.

1. Get as much Information as Possible:
Let’s deal with the fraud issue first. When taking a credit card payment over the phone, you do not have the credit card in hand, which makes the transaction riskier than one where you physically see the card.

Chip card transactions offer the best protection against fraud, of course, but even swiped transactions are safer than ones taken over the phone where you do not have physical possession of the card.

To make your phone-based transactions as safe as possible, you need to get as much information as possible from the customer. The more information you obtain, the lower your risk of processing a fraudulent transaction.

At a minimum, request the following information from the customer over the phone:

• Full credit card number
• Full name as it appears on the card
• Expiration date
• CVV security code
• Customer’s complete billing address, including postcode
• Customer’s phone number

For an added layer of protection if you are suspicious of the customer details, you can also ask for the customer’s email address, date of birth and driver’s license number.

If the customer can’t supply any of this information, it’s a sign that the person making the purchase may not be the legal owner of the card – and you should not accept payment.

2. Be on Alert for Unusual Details:
Many fraudulent phone orders come with questionable details on the part of the “customer.” One common sign of fraud is if the billing address and the shipping address are different.

Fraudsters using a stolen card registered to a person in one location will ask for the goods to be shipped to their address, typically a much different location. If the addresses don’t match, beware and ask additional questions. If in doubt do not process payment for the transaction and seek advice from a senior manager.

Please note phone calls taking credit card information must not be recorded.

To accept credit card payments of any type, our business needs to comply with the Payment Card Industry (PCI) Data Security Standards. PCI compliance is all about keeping customers’ credit card data secure from theft, and it applies no matter what types of payments you accept – in person, online, or over the phone.

One of the keys of PCI compliance is that certain customer information, such as the CVV, not be retained post-authorization. For this reason, you can’t record phone calls that contain this information. The recording would be a form of data storage not allowed by the PCI standards.

3. Never Write Down Card Information:
The prohibition against retaining CVV and other data also applies to any notes you might create while taking a credit card order. It may be tempting to write down the information that the customer provides over the phone, but that puts you at risk for PCI non-compliance.

Even if you just jot the CVV down on a Post-it Note that you intend to throw away afterwards, that’s still against PCI regulations.

The only approved method for Thump Sports Staff to process 'over the phone' credit card transactions is to enter the customer’s credit card information directly into our current payment provider's cloud based payment terminal 'Paystation' without writing it down first.

This eliminates the risk of leaving customer data out in the open where it may be found by thieves. If you must write down the customer’s CVV, shred the paper immediately after use.

4. Staff Compliance
All employees authorised to process over the phone credit card payments must follow these procedures.

All employees must be aware of this policy as part of staff induction and understand the importance of PCI Compliance. Failure to follow this policy may lead to dismissal as one mistake when processing such payments can put our business at risk of criminal fraud or PCI non-compliance. Everyone must know the policy - no exceptions..!