One of the things that many business owners must ensure as a part of accepting credit cards is that every employee in the business is properly trained. Anyone who handles credit card data and related customer info must do so in a safe and secure manner. Here are our best practices and tips on how to remain PCI compliant when taking credit cards over the phone.
What Does PCI Compliant Mean?
First, let’s address the basics and what being PCI compliant means.
PCI stands for Payment Card Industry and being compliant means you follow their standards for handling, processing, and storing credit card data as well as related customer information.
The PCI Council is a global organization that is made up of the largest bankcard brands (like Visa and MasterCard) and other large financial institutions focused on maintaining the safety and security of payments both in the US and internationally. This is a standard that is set for every business in the world as a requirement to accept credit card payments.
Who Enforces PCI Compliance?
The Payment Card Industry Council, aka the PCI Council, oversees education, sets the standards, and provides the processes that businesses must follow to remain compliant.
Annually, companies must go through an internal audit and complete the necessary reporting to share their in-house practices and prove that they are following the PCI compliance standards.
PCI Compliance and Credit Cards Over Phone
Here are the steps each authorized person in the business should take when taking a credit card payment over the phone.
- Use a unique user ID and secure password to access the system.
- Never write down your username or password for the system.
- Verify the customer – make sure they are an authorized account holder.
- Prior to having the customer share their credit card details, turn off customer recording or mask the call to prevent the recording of sensitive information.
- Enter the customer and payment information into the system.
- Verify the payment – share the authorization number with the customer.
- Offer to e-mail, text, or send a receipt.
- Close out and complete the transaction.
- If no more transactions are needed, log out of the system.
Remember: Do not write down credit card numbers, expiration dates, or CVV codes. Never photocopy credit cards. Do not store credit card information in a customer database or POS System that is not set up to encrypt the data following the most current SSL security protocols.
All of these steps can help to maintain PCI compliance. Everyone in the company must work to ensure that the practices are in place at all times.
What Happens If You Are Not PCI Compliant?
If a business is not PCI compliant, there is a fee that is enacted as a penalty for being out of compliance. This continues to be assessed each month by the PCI Council until the business can complete and certify compliance.
Most often, this will show up on the merchant statement but is included in the list of fees associated with normal payment processing. It is not always clear that this has occurred or is being assessed which is why TransAct also sends an e-mail advising of the non-compliance.
Whenever the TransAct merchant services report issues a PCI non-compliance alert, we proactively work to contact the client. We offer to help resolve the issue and regain compliance. We can’t do this without our client’s involvement. While it takes a little bit of time and effort, we have no way of waiving this requirement.
Is There a PCI Compliance Checklist?
Yes, there is a PCI Compliance Checklist that TransAct has for our clients. We are able to review this with our customers as part of initial onboarding and as part of ongoing training and support.
Schedule a call or Zoom appointment to go over this together so that we can explain some of the more critical steps that must be completed on an annual basis.
We take PCI compliance training and PCI support very seriously, and TransAct clients have the advantage over their counterparts with our focus on this issue. Annually, we help new and existing clients alike save on unnecessary expenses and the risk of being out of compliance.