Taking card payments over the phone is a great way to scale your business, connect with customers near and far, and speed up billing cycles.
That said, we understand that you don’t want to do anything that could infringe on yours or your customers’ financial safety — especially when the UK was named as having the ‘highest rates of phone spam and fraud’ in Europe.
Action Fraud’s NFIB Fraud and Cyber Crime Dashboard reveals the total number and value of fraud cases reported to different UK police forces. Using this data, we uncovered some key findings on phone scams carried out on businesses across the last 12 months, from March 2022-2023. We found that:
Despite Action Fraud’s database showing that businesses are losing out on millions of pounds to phone-related fraud, the good news is that taking payments over the phone using virtual terminals is all pros and no cons.
In this article, we’ll walk you through how you can successfully take telephone payments and explain which safety measures you can put in place to protect your business and your customers.
Yes, it’s easy to take card payments over the phone if you have a credit card terminal. The process is straightforward, as all you need to do is enter your customer’s card information into your terminal to process the transaction.
While the value of contactless payments increased by nearly 50% in 2022 against 2021, over-the-phone payments are still a beneficial option for many businesses. This is especially true for those that operate traditionally, such as:
Phone payments may also result from a number of specific situations, like:
Over-the-phone payments may not be for every business, but you never know when a customer could come calling. Despite offering significant value for businesses, it’s crucial that you’re carrying out phone transaction protocols properly to avoid any potential security issues.
It’s worth bearing in mind that some customers might be wary of giving their card details out over the phone. Statistics show that card-not-present fraud accounted for 76% of the total value of card fraud in the UK in 2019. With a much higher fraud rate than machine-based payments, make sure you present yourself as legit to your customers and do your due diligence to make sure they are too. So, it may be beneficial to make your customers aware of the tactics scammers use to help protect them.
When attempting phone fraud, also known as vishing, scammers often:
Yep, taking card payments over the phone can be completely safe – as long as you’re following the correct measures.
The most important thing that all businesses that process card payments must do is make sure they are compliant with Payment Card Industry Data Security Standard (PCI DSS). This is a set of information security requirements which all businesses must meet in order to handle credit or debit card data safely and securely. It covers every step in a card transaction, like accepting, storing, processing, and transmitting the transaction data.
PCI DSS compliance helps to limit data breaches or minimise the risk of fraud, which is why it’s essential for businesses taking over-the-phone transactions.
Individual businesses can’t apply for or receive a PCI DSS-compliant certificate. Instead, they must prove they are PCI DSS compliant by following the latest official regulations. These are updated every few years, but the most up-to-date version can be viewed at the PCI Security Standards Council website here.
Businesses have three options for how they can meet these official requirements:
As part of the PCI compliance regulations set by the PCI Security Standards Council, the only way to be sure that your phone payments are secure is by choosing a payment terminal that’s PCI compliant. This means that it’s passed all the standards needed to prove it takes card payments safely and securely.
The final safety net is the legitimacy of the customer. You can have passed the PCI checks with flying colours but if the person on the other end of the phone’s a fraudster, you could be subject to some pretty hefty chargeback fees from their payment provider.
As well as risking the security of your customer’s card information, being non-PCI DSS compliant can land you a fine of between 4,000 to £81,000 a month.
Once you’ve put in the precautions to ensure your business is PCI compliant, you’re ready to take a payment over the phone.
Just follow these simple steps:
Step 1: Your card machine screen will say ready and show your merchant number. If you have an M5000 machine, go to 'Menu' and select 'CNP'.
Step 2: Type in the cost of the item and then press 'Enter'.
Step 3: The machine will ask to present the card. Type in your customer’s 16-digit credit or debit card number and press 'Enter'.
Step 4: You'll then be asked to type in your customer’s card expiry date. Once done, press 'Enter'.
Step 5: It'll ask if the customer is present. Press 'Clear'.
Step 6: You'll be asked to type in the 3-digit security code, which is on the back of the card. Once done, press 'Enter'.
Step 7: It'll ask for the house number and the numeric digits of the postcode to which the card is registered. Type these in and press 'Enter'.
If the registered address has a house name instead, you will need to enter '0'.
Step 8: Once done, the card machine will start to process the transaction.
Step 9: It will then automatically print the customer copy of the receipt.
Step 10: Once printed, tear this off the machine and press 'Enter'.
Step 12: It will then automatically print the merchant copy of the receipt.
Step 13: Once printed, tear this off the machine and keep this for your records and press 'Enter'.
Bonus tips for ensuring safe and secure over-the-phone payments
As well as the part and parcel features you get with virtual terminals, there are additional things you can do yourself to tighten your safety set-up too.
Taking card payments over the phone is as simple as asking for the 16-digit card number and expiration date and popping them into your virtual terminal.
But any decent virtual terminal or card machine will request additional security information, adding another layer of safety for you and your customers. This may include:
Address Verification System (AVS): this marries up the billing address the customer gives you with the address they’ve registered with their bank. You'll be told if it’s not a match, and it’s probably a wise idea to stop the transaction there.
Card Verification Value (CVV or CV2): these are the three, or sometimes four, digits found on the back of the customer’s credit or debit card and are entered to ensure the code corresponds with what’s on the credit issuer’s file.
In case you’re wondering, our virtual terminals come with both these security measures.
Make sure all your staff are fully clued up on your processes and run regular (say, annual) security awareness sessions to keep key information front of mind.
Accidental breaches of sensitive information can occur when your employees don’t know about, or forget, the proper protocols. If business is booming, it can be easy to let standards slip, but frequent training can help to keep the importance of safe and secure transactions at the front of everyone’s minds.
Here’s a quick cheat sheet of things to remember:
If you’re ready to broaden your payment horizons, give us a call and we can talk next steps. And if you’re still on the fence, here are a few quick facts about phone payments with us: