When Companies Do Not Use Telephone Encryption To Process Payments.

It is drummed into our heads to never give out bank details over the phone especially your CVV number (the last three or four digits on the back of the card), yet some companies still are not PCI DSS Compliant and still insist on processing payments without encryption.

Is it secure to provide debit card information over the phone?

Generally speaking – if the merchant has encryption software installed it is safe to give your card details, however giving your details to a person is not, as they can easily screenshot your information or use spy cameras and use it further down the line in say a month or two. Most reputable merchants employ a number of technologies that greatly increase the security level when making payments over the phone.

One of them is your credit/debit card number, which as an owner of the card only you should know, and another is a shortcode called CVV – an abbreviation that stands for card verification value.

Printed on the back of your card, the CVV is a 3-4 digit code and its intended goal is to provide additional security when making purchases. The CVV makes sure you are in possession of the card and not someone else as the code shouldn’t be known to anyone other than the card owner.

Despite all security measures you should never forget that fraudsters are always looking for ways to beat them and steal your credit/debit card information and quite possibly even your money! This is why it is important to know how to protect your data by doing a few simple things you can further protect yourself and your earnings.

This is what you need to know and so by paying attention when providing card details, especially on the phone:

  • If using the Internet, make sure the goods or service you want to buy comes from a reputable web site. With that being said, always research the company offering the service or product beforehand.
  • Never make your card details shown in public.
  • Never provide your cvv number when asked on the phone or when processing a card payment in person. This is a sure sign of an impending fraud! CVV numbers are for online purchases only!
  • When making a payment on the phone, always obtain the phone number from a trusted source and make the call directly.
  • Always check your monthly bank statement thoroughly for charges you do not recognize.

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is made up of twelve requirements. These requirements cover a wide range of topics, including securing networks, protecting data, access control measures, information security practices, and monitoring and testing. Its overarching aim is that cardholder data be protected by any organization that stores, transmits, or processes this information. Compliance is enforced by regular audits carried out by either a professional Qualified Security Assessor (QSA), Internal Security Assessor (ISA), or through a Self-Assessment Questionnaire (SAQ).

Non-compliance can result in fines, likely to be imposed by the card issuers via the acquiring banks, for any merchant who fails to meet the required standard.

Any organization that takes credit card payments is subject to the rules laid out in the PCI DSS, and they also apply to payments taken over the phone. For those companies taking payments inside a contact center, they must make sure that they:

  • Demonstrate evidence of compliance with over 400 security controls which are applicable to any part of the contact center environment handling card data.
  • Ensure that sensitive authentication data (CVC2/CVV2 security code) is not stored in any format anywhere, including call recordings.
  • Vet new CSRs and conduct appropriate background checks; an expensive and time-consuming process
  • Make sure data cannot be removed from the call center by any means; usually by restricting the use of pens and paper and banning mobile phones from the contact center.

For a company to brush off your concerns that their payment processing methods are secure, they need to provide evidence of this when asked.

ENCRYPTION (or cryptography) makes card data unreadable to people without special information (called a key). Cryptography can be used on stored data and data transmitted over a network. Payment terminals that are part of PCI-listed P2PE solutions provide merchants the best assurance about the quality of the encryption. With a PCI-listed P2PE solution, card data is always entered directly into a PCI-approved payment terminal with something called “secure reading and exchange of data (SRED)” enabled. This approach minimizes the risk to clear-text card data and protects merchants against payment-terminal exploits such as “memory scraping” malware. Any encryption that is not done within a PCI-listed P2PE should be discussed with your vendor.

Consumer rights

Certain consumer rights in the UK mean that all card transactions come with responsibilities for the merchant.

Cardholders can raise a dispute for transactions – including those done over the phone – to their card issuer, where the retailer did not provide the product or service, deliver on its own terms, or the transaction went ahead without the cardholder’s consent. This can result in a chargeback where the merchant is charged a fee and the full amount that was disputed.

The merchant should therefore be careful to get consent for each card transaction done over the phone. To avoid chargebacks, you should consequently get enough details from the customer to back up the consent. This could be the card security code, billing address, customer name as it appears on the card, etc.

If a credit (not debit) card is used for a £100+ transaction, section 75 of the Consumer Credit Act 1974 gives the consumer the right to claim back the money for a telephone transaction they did not clearly consent to.

Small_Merchant_Guide_to_Safe_Payments

PCI_Who_We_Are

Anyone reading this who has concerns about a company asking for their bank details over the phone should contact us using the form below for more guidance:

Note From the Editor.

The reason for this post today is because my daughter wanted to cancel her contract early with a mobile phone provider in the UK. She first spoke to someone who said they could not make the payment over the phone because they were working from home and that they would get the billing department to phone my daughter within the hour.

It was not long after my daughter received the call from the company and she could tell it was a call center because of the background noise. The operator then asked for my daughter’s card details over the phone without encryption and the worrying part was they asked for my daughter’s CVV number.

Now if this was me and I should have warned my daughter ahead of the call that if anyone asks for a CVV number refuse to give it and just insist they send a link to a secure payment method.

The amount was quite significant and now my daughter and I are worried that her details could have been stored for a later date. It does not take much effort to write the details down or screenshot a screen. One could even use a spy camera if mobile phones, pens, and notepads are prohibited.

I will be contacting the company for comment before publishing their name and my findings with Ofcom and the card payment companies who will all be making their inquiries.

**All Card issuers and banks should have a PPI & DSS Compliance Page on their websites giving consumers an opportunity to report companies to them, for them to investigate. Furthermore, the Banks and Credit Card issuers should also spread awareness to help counteract the UK £2 Billion credit card/debit card fraud problem. Merchants should only use telephone encryption software which should be made mandatory by law.

https://www.finextra.com/pressarticle/75038/the-climbing-cost-of-fraud-over-2-billion-stolen-from-uk-credit-and-debit-cards-in-the-last-year

https://www.ofcom.org.uk/phones-telecoms-and-internet

#telephonesecurity #telephoneencryption #cybersecurity #paymentgateways #creditcardproviders #cvvnumber #tephonepayments #pcicompliance #dsscompliance