Skip to main content

Now more than ever, your business must accept payments whenever  and however your customer wants to pay. In their well-intentioned efforts to help your customers make payments, employees might be putting you and your business at risk, including your PCI compliance. How? Let’s look at two examples: A staff member takes a phone order and uses a tablet that they use for everyday notes to write down the payment information. Or an employee has a customer who wants to make a phone payment and the call is recorded.

Writing down credit card or debit card information on paper creates a physical record that is susceptible to theft or misplacement. If this information falls into the wrong hands, it could lead to a data breach, exposing your customers’ financial data to unauthorized individuals.

Not only should you never write down credit card data on paper, but you should also not store credit card data onsite. Ever. Not on a computer, not in the customer’s paper file, anywhere in your office. Period.

An Often Overlooked Vulnerability

Today, many businesses record their customer conversations. When these calls include payments, they can contain sensitive data, including:

– Credit card numbers

– Personally identifiable information (PII) 

 PII can include:
    • Name
    • Social Security number
    • Date and place of birth
    • Mother’s maiden name
    • Biometric data
    • Email address
    • Telephone number
    • IP address
    • Geographical details
    • Employment information

Security Best Practices and Encryption

To safeguard sensitive information in audio files, security best practices and strong encryption help to mitigate these risks. Best practices include:

– Password protection: Restrict access to authorized personnel only

– File encryption: Securing the content of the recordings against unauthorized access or interception

Speech-to-Text Considerations

If your business uses speech-to-text conversion software, additional precautions are necessary:

– Convert speech data to encrypted text as quickly as possible

– Ensure the original audio and any converted text files are stored in encrypted formats

Legal Requirements

Businesses that handle customer credit card information are legally required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard sets forth specific guidelines on how organizations should secure and protect sensitive cardholder data to prevent unauthorized access and potential data breaches. Adhering to PCI DSS requirements helps to ensure that customer credit card information is stored securely and that the risk of fraudulent activities is minimized.

Protect credit card data by never writing down card information.

Businesses can face lawsuits and financial penalties when sensitive data is exposed. Not to mention the risk to your PCI compliance (and your ability to accept credit cards) by violating PCI DSS standards.

Below, we list some common sense dos and don’ts you can use today to safeguard your operations.

To Reduce and Eliminate Risk and Safeguard Credit Card Data and your PCI Compliance:

Never

  • Physically write down any credit card information
  • Use an imprint machine to process credit card payments
  • Leave sensitive information unattended on a desk or in any public area
  • Copy the front and back of a credit card
  • Store physical credit card information onsite or in places like Google Drive, Dropbox, etc.

Always

  • Closely supervise all staff and visitors to the area where credit card information could be available.
  • Collect only the information you need to complete the transaction
  • Write down the customers phone number
  • Use a fully-hosted virtual terminal that encrypts card data upon entry and transmission to record credit card information given over the phone.
  • Have strict credit card handling policies in writing
  • Hold regular credit card handling training with your staff
  • Rely on a reputable payment processor with a PCI DSS Level 1 certified network
  • Get customer permission before storing any card data

Use Virtual Terminals

For simplicity, we’ll look at virtual terminals.  Think of a virtual terminal as an online checkout form you can use in your store or office. Virtual terminals are web-based and allow your staff to accept payments by telephone, mail order, fax, email, or in-person. You can have as many virtual terminals as you need.  IntelliPay’s One Terminal is a good example of a virtual terminal.

Virtual terminals do not require new software or hardware.  Existing desktop, laptop, tablet, smartphone, or POS system can host a virtual terminal.  An in-person transaction would require the installation of an external card reader. Transactions on virtual terminals are made on payment processor secure systems that use tokenization and end-to-end encryption to protect sensitive data during transmission.

For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID, a token meaningless to everyone except the payment processor.

The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. A virtual terminal frees you from storing sensitive data in your system and minimizes PCI scope and liability.

Tokenization and End-to-End Encryption

Transactions on virtual terminals are made on payment processor secure systems, not your systems, that use tokenization and end-to-end encryption to protect sensitive data during transmission. For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID, a token meaningless to everyone except the payment processor.

The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. Using a virtual terminal frees you from storing sensitive data in your system and minimizing PCI scope and liability

Simple to Install, Customizable Solutions

Web-based virtual terminals are easy to install and use and offer comprehensive reporting features, simplifying payment management, especially formerly time-consuming reconciliations.

Intelligent payment processing platforms like IntelliPay make it easy to get started with virtual terminals.  They offer a virtual terminal solution for every need; all are customizable and easy to install.  Customization and set-up are free, and many virtual terminals options are configured within a single business day.

About IntelliPay

IntelliPay has provided traditional (processing costs are absorbed as a cost of doing business) and cardholder-pays the swipe or interchange fee-based options to businesses of all sizes since 2011.  To learn more about your virtual terminal options, contact Phillip Buck at phillip.buck@intellipay.com.