How to take payments safely over the phone

Taking card payments over the phone is a great way to scale your business, connect with customers near and far, and speed up billing cycles.

That said, we understand that you don’t want to do anything that could infringe on yours or your customers’ financial safety — especially when the UK was named as having the ‘highest rates of phone spam and fraud’ in Europe.

How common is over-the-phone card fraud in the UK?

Action Fraud’s NFIB Fraud and Cyber Crime Dashboard reveals the total number and value of fraud cases reported to different UK police forces. Using this data, we uncovered some key findings on phone scams carried out on businesses across the last 12 months, from March 2022-2023. We found that:

• £101.7 million has been lost by organisations to phone-related fraud
• 3,412 phone-fraud incidents were reported to the UK police
• UK businesses lost an average £29,806 to phone scams
• Banking fraud was the most common target of phone scams, with 1,700 cases reported (this includes cheque, plastic card, and online bank accounts)
• Limited companies were the most highly targeted (55%), followed by Public Limited Companies (16%) and sole traders (7%)
• Businesses in the City of London received the most reports of phone scams when comparing reported cases to the number of officers in each force. This was followed by Lincolnshire and Warwickshire.

Despite Action Fraud’s database showing that businesses are losing out on millions of pounds to phone-related fraud, the good news is that taking payments over the phone using virtual terminals is all pros and no cons.

In this article, we’ll walk you through how you can successfully take telephone payments and explain which safety measures you can put in place to protect your business and your customers.

Is it easy to take card payments over the phone?

Yes, it’s easy to take card payments over the phone if you have a credit card terminal. The process is straightforward, as all you need to do is enter your customer’s card information into your terminal to process the transaction.

While the value of contactless payments increased by nearly 50% in 2022 against 2021, over-the-phone payments are still a beneficial option for many businesses. This is especially true for those that operate traditionally, such as:

• Takeaway restaurants
• Hairdressers
• Catalogue businesses

Phone payments may also result from a number of specific situations, like:

• Your customer calls up to enquire more about your goods or services and decides to purchase then and there
• If you need to take a deposit from your customer when they call up to make a booking
• Your customer wishes to renew their policy or contract over the phone

Over-the-phone payments may not be for every business, but you never know when a customer could come calling. Despite offering significant value for businesses, it’s crucial that you’re carrying out phone transaction protocols properly to avoid any potential security issues.

How to protect your business and customers against phone scams

It’s worth bearing in mind that some customers might be wary of giving their card details out over the phone. Statistics show that card-not-present fraud accounted for 76% of the total value of card fraud in the UK in 2019. With a much higher fraud rate than machine-based payments, make sure you present yourself as legit to your customers and do your due diligence to make sure they are too. So, it may be beneficial to make your customers aware of the tactics scammers use to help protect them.

When attempting phone fraud, also known as vishing, scammers often:

• Impersonate businesses — From government and official organisations to retail companies, scammers will attempt to gain the victim's trust by pretending to be a representative of a well-known business. It’s recommended that companies should contact customers via their official registered trading phone number. Additionally, your customers should be told that they will only be contacted by this number.
• Ask for sensitive information — To hack bank accounts and access personal funds, fraudsters will request sensitive financial information from their victims. To combat this, businesses should let their customers know that certain details will never be requested when completing over-the-phone transactions. These include:
  • four-digit card Pin
  • full password or online banking information
  • one-time passcodes
• Have a sense of urgency — Victims will often be rushed into quickly handing over their financial details as scammers will use techniques like offering limited-time-only offers. Customers should never be rushed into providing payment information and this should be a red flag that the situation is unusual. Let your customers know that if they sense even a slight doubt about who they are really on the phone with, the best course of action is to hang up the call and get in touch with your business using your official number from your website.

Is it safe to take card payments over the phone?

Yep, taking card payments over the phone can be completely safe – as long as you’re following the correct measures.

The most important thing that all businesses that process card payments must do is make sure they are compliant with Payment Card Industry Data Security Standard (PCI DSS). This is a set of information security requirements which all businesses must meet in order to handle credit or debit card data safely and securely. It covers every step in a card transaction, like accepting, storing, processing, and transmitting the transaction data.

PCI DSS compliance helps to limit data breaches or minimise the risk of fraud, which is why it’s essential for businesses taking over-the-phone transactions.

Individual businesses can’t apply for or receive a PCI DSS-compliant certificate. Instead, they must prove they are PCI DSS compliant by following the latest official regulations. These are updated every few years, but the most up-to-date version can be viewed at the PCI Security Standards Council website here.

Businesses have three options for how they can meet these official requirements:

1. Onboard the help of a PCI SSC-Qualified Security Assessor (QSA).
2. Choose a payment provider who does the work for you (here at takepayments, we can take care of this for you with our Security+ package, which also offers support with secure transactions and cyber security). 
3. Go through the steps yourself.

As part of the PCI compliance regulations set by the PCI Security Standards Council, the only way to be sure that your phone payments are secure is by choosing a payment terminal that’s PCI compliant. This means that it’s passed all the standards needed to prove it takes card payments safely and securely.

The final safety net is the legitimacy of the customer. You can have passed the PCI checks with flying colours but if the person on the other end of the phone’s a fraudster, you could be subject to some pretty hefty chargeback fees from their payment provider.

As well as risking the security of your customer’s card information, being non-PCI DSS compliant can land you a fine of between 4,000 to £81,000 a month.

How to take a payment by phone with your card machine

Once you’ve put in the precautions to ensure your business is PCI compliant, you’re ready to take a payment over the phone.

Just follow these simple steps:

Step 1: Your card machine screen will say ready and show your merchant number. If you have an M5000 machine, go to 'Menu' and select 'CNP'.

Step 2: Type in the cost of the item and then press 'Enter'.

Step 3: The machine will ask to present the card. Type in your customer’s 16-digit credit or debit card number and press 'Enter'.

Step 4: You'll then be asked to type in your customer’s card expiry date. Once done, press 'Enter'.

Step 5: It'll ask if the customer is present. Press 'Clear'.

Step 6: You'll be asked to type in the 3-digit security code, which is on the back of the card. Once done, press 'Enter'.

Step 7: It'll ask for the house number and the numeric digits of the postcode to which the card is registered. Type these in and press 'Enter'.

If the registered address has a house name instead, you will need to enter '0'.

Step 8: Once done, the card machine will start to process the transaction.

Step 9: It will then automatically print the customer copy of the receipt.

Step 10: Once printed, tear this off the machine and press 'Enter'.

Step 12: It will then automatically print the merchant copy of the receipt.

Step 13: Once printed, tear this off the machine and keep this for your records and press 'Enter'.

Bonus tips for ensuring safe and secure over-the-phone payments

As well as the part and parcel features you get with virtual terminals, there are additional things you can do yourself to tighten your safety set-up too.

1. AVS and CVV checks

Taking card payments over the phone is as simple as asking for the 16-digit card number and expiration date and popping them into your virtual terminal.

But any decent virtual terminal or card machine will request additional security information, adding another layer of safety for you and your customers. This may include:

Address Verification System (AVS): this marries up the billing address the customer gives you with the address they’ve registered with their bank. You'll be told if it’s not a match, and it’s probably a wise idea to stop the transaction there.

Card Verification Value (CVV or CV2): these are the three, or sometimes four, digits found on the back of the customer’s credit or debit card and are entered to ensure the code corresponds with what’s on the credit issuer’s file.

In case you’re wondering, our virtual terminals come with both these security measures.

2. Security awareness training

Make sure all your staff are fully clued up on your processes and run regular (say, annual) security awareness sessions to keep key information front of mind.

Accidental breaches of sensitive information can occur when your employees don’t know about, or forget, the proper protocols. If business is booming, it can be easy to let standards slip, but frequent training can help to keep the importance of safe and secure transactions at the front of everyone’s minds.

Here’s a quick cheat sheet of things to remember:

• Never write down sensitive credit card details on paper or electronic systems. Personal data should never be kept for any longer than necessary; storing these details after they have been used in a transaction could be breaching one of the core GDPR principles on storage limitation.
• Make sure your receipts do not print the customer’s full card details on them. Usually, only the last four digits are printed.
• Install anti-virus software on your business computer or devices and run regular malware checks.
• Always follow good document hygiene practices by shredding and disposing of documents with customer details on.

Is it time to get on the phone?

If you’re ready to broaden your payment horizons, give us a call and we can talk next steps. And if you’re still on the fence, here are a few quick facts about phone payments with us:

• We’re fully compliant.
• Our system’s super easy to use.
• You can add as many users as you like.
• We don’t lock you into lengthy contracts.
• We don’t charge you to join or leave.
• All our pricing packages are personalised.

Whether it’s phone payments, other online payment solutions, or card terminals that we can help you with, get in touch with our team of experts on 08082 393254.

Jodie Wilkinson

Head of Strategic Partnerships