2) Never HEAR a Card Number
Some business models require customers to verbally recite their credit card information over the phone as an employee records it on the other end. We’ve already discussed what can happen if a rogue employee decides to mishandle information that they have seen or heard, but reciting credit card numbers out loud has another dimension of risk –you never really know who’s listening.
Advanced hackers can hack into phone calls with little effort. But even the stranger sitting on the other side of the customer’s wall or standing behind them in line can have superhuman listening powers and fraudulent intentions. Sure, it’s possible that your business will never run into these issues – but if there is no way to hear a card number through the phone, then there’s also no way to steal a card number through it.
If phone payments are a part of your business model, there are several ways to make your processes more secure and PCI compliant.
First, consider implementing an Interactive Voice Response (IVR) system. These systems allow a computer to interact with phone customers, accepting their card information through voice and touch-tone keypad selection. In other words, you can collect payment from your customer through the phone without ever hearing their card number.
Payment Requests Forms work well for this case, too. Instead of asking for payment vocally, close the sale on the phone and then send a Payment Request through email so they can enter their own card number digitally.
With these systems in place, your staff never have to hear a card number again!
3) Never Touch A Customer’s Card
The moment you touch a customer’s card, you are responsible for the outcome. At this point, you also run the risk of not meeting PCI DSS requirements. Here, in the United States, we hand our cards over freely to retail cashiers, wait-staff at restaurants, and service employees every day – and that may speak volumes to why so many Americans are exposed to identity theft.
In the rest of the world, handing over a card is rarely required. At restaurants around the world, for example, a card terminal is brought to the table so the customer can make the payment themselves. If you want to achieve PCI compliance, start by implementing a similar system. Use a self-servicing payment terminal that provides customers with the means to swipe or insert their own card and complete payment without handing it over.
Sensitive data can be dangerous in the wrong hands. Fortunately, if sensitive data never exchanges hands, this potential threat is eliminated. Having a system in place where the card remains in the customer’s hand is viewed favorably by the PCI Standards Council.
Taking The First Step Towards PCI Compliance
Achieving and maintaining PCI compliance requires commitment, time, and a change in the processes that you may have grown used to. While these three steps are not everything you need to do to achieve full compliance, they will surely get you much closer than where you are today. These steps also establish good data handling habits, and greatly reduce the scope of your PCI compliance efforts.
If you’re operating a business that collects recurring payments, achieving PCI compliance can be even more challenging. That is unless you’re using Salesforce with Chargent. At Chargent, we make it easy to collect subscription payments, automatically – without ever needing to see or hear a card number, or touch a customer’s card! Chargent processes your customer payments, and stores a secure token in Salesforce — not sensitive credit card numbers.
Ready to achieve PCI bliss? Check out the many features that Chargent offers and see if it’s the right fit for your business.
Have you overcome a serious PCI compliance issue? Tell us about it down below in the comments!