As businesses adapt to the changing landscape and look to conduct business in new ways, for many this means taking their business online or over the phone. With all the changes and considerations around Covid-19 and keeping staff and customers safe, have you considered if you are PCI DSS compliant?
What is PCI DSS?
PCI DSS is the worldwide Payment Card Industry Data Security Standard. It exists to help businesses process card payments in a safe and secure way. PCI DSS has 12 requirements which cover the processing and storage of card details to help business reduce the risk of card fraud.
What are the 12 points?
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data (use encryption)
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and keep up to date anti-virus software and programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses Information Security for employees and contractors
Why is PCI DSS important?
Uk Finance’s ‘Fraud the Facts 2019’ report found unauthorised fraud losses totaled £844.8 million in 2018 – a year on year increase of 16%.
Card payments, particularly card not present (CNP) transactions are an especially risky area.
The penalties for non-compliance are severe. Not to mention the damage to your hard earned reputation.
What happens if I am not compliant?
If your business is found to be non-compliant then you may be subject to fines. If your business isn’t taking sufficient steps to rectify your non-compliance then you may even be stopped from taking card payments.
Should card fraud be committed due to an oversight in your company, the penalties are much worse, not to mention the damage it can do to your reputation. If a forensic investigation is carried out and it is found that your company was at fault then you will be responsible for picking up the cost of the investigation. Fines can be leveled against you, not just for breaching PCI DSS but also for GDPR violations. Your company can end up liable for the costs of fraudulent payments made against the customers card.
Compliance obligations for any organisation found to have had a breach increase significantly.
How can I make sure I am compliant when taking payments over the phone?
One of the main risks with taking card data over the phone is exposure of the data. If you are simply asking for the numbers to be read over the phone to you it could be easily overheard, by someone nearby or by someone listening in on the line. It is important to make sure that your phone system is as secure as possible by:
- Not using default passwords/codes for the system and its functions (e.g. voicemail)
- Ensuring that any phones that may be unattended in public areas are passcode protected
- Avoiding taking card details and processing payments in public areas if the call could be listened into.
People are often the weak link in any process, even the most reliable staff member can make a mistake. The people that have access to card details should be kept to a minimum. Consider taking people out of the loop completely with a payment system like Link Pay Plus which handles payments for you.
What can Deep Blue do to help my business?
Card not present (CNP) transactions are a challenge for PCI compliance, telephone payments are particularly challenging. More often than not they will breach PCI security standards as they are exposed to additional people/systems that may not be compliant.
Dual Tone Multi-Frequency (DTMF) masking, where customers key their details in on their phone key pads, can be a way to get round this but are costly to set up and maintain.
Link Pay Plus is a great way to take payments in a safe and secure way. A payment link can easily be sent to people by your preferred contact method:
- and more
The payment can then be taken and tracked in real time by your staff, without them seeing the customers card details.
The Link Pay Plus dashboard keeps you up to date with links generated, their conversion rate and amount transacted.
How it works
- Manage multiple payments at once – if you are hand keying details into your card reader and a second query comes in, what do you do? Ask you customer to wait and risk losing them? Write the details down somewhere? With Link Pay Plus you can quickly and easily send links out to multiple customers.
- Pre-populated details – What if you are processing a payment and the customers card declines and they don’t have another one to hand? Or what if you have spent time converting an enquiry into a sale only for the customer to realise they don’t have their card to hand? Do you risk letting the call go in the hopes they ring bank? Many of us now have our card details saved in our devices and Link Pay Plus can use this information to auto-populate the customer’s details.
- Minimal interaction – payment can be taken quickly and easily at the point of order. Pick ups and drop offs of goods can be done quickly and safely without the need to process payment at that point. Great for completely contactless service for those who are shielding.
- Peace of mind – By letting Link Pay Plus handle your card transactions, you don’t have to worry about your staff seeing card details, or having to store sensitive information.
- Cost effective – Link Pay Plus works on a pay per transaction basis, with no additional service charges or rentals. There is also no onsite equipment to store or maintain.
- Fast set up – with no software or equipment to install you can be up and running in no time.
Want to know more?
If you think Link Pay Plus could be the solution your business needs then contact us now for a no obligation discussion on 0333 240 9100 or email firstname.lastname@example.org