Payment guides

A PCI-DSS guide to MOTO merchant accounts and payments over the telephone

Some customers are not able to purchase goods and services online. These customers, usually business to business, mail order, telephone order or where the pricing fluctuates, prefer to place their orders through a call centre or via fax or telephone. Transaction details are submitted into a so-called Virtual Terminal. The receptionist or sales agent answers the phone and takes the order from the customer. Payments, settlement and refunds are managed by the users who store card holders’ details.

Mail Order and Telephone Order (MOTO) transactions are made without face-to-face contact and as such these payments are regarded as Card-not-Present (CNP) payment transactions. Due to their relative anonymity, these transactions are more vulnerable to fraud and cybercrime.

Merchants can avoid chargebacks and prevent card fraud through careful customer identification and verification procedures. Watch out for the so-called ‘red flags’ as mentioned in our comprehensive chargeback guide.

The PCI Security Council has defined PCI DSS standards for financial institutions, payments service providers and merchants where one of the rules stipulates that “CVV2, CVC2, CID, or CAV2 Codes cannot be retained after authorisation, and full primary account numbers (PANs) cannot be kept without further protection measures.” Call Centre operators take a cardholders’ payment card details over the telephone and record the conversation for improved customer services purposes. By doing this, they counter PCI DSS requirements and expose their customers and cardholders to unnecessary risk.

The PCI Security Standards Council provides merchants with a quick overview of which data can be stored in compliance with PCI-DSS security standards. In-depth information can be found in ‘Protecting Telephone-based Payment Data’.

 

 

Data Element

Storage Permitted

Render Stored Account Data Unreadable

 

 

Primary Account Number (PAN)

Yes

Yes

 

Cardholder Data

Cardholder Name

Yes

No

 

 

Service Code

Yes

No

 

 

Expiration Date

Yes

No

Account Data

 

Full Magnetic Stripe Data

No

Cannot store as per requirement 3.2

 

Sensitive Authentication Data

CAV2/CVC2/CVV2/CID

No

Cannot store as per requirement 3.2

 

 

PIN/PIN Block

No

Cannot store as per requirement 3.2

What this means: Retaining sensitive payment transaction authentication data must not be kept after a payment has been authorised (Requirement 3.2). For telephone and call center operations “Sensitive authentication data” signifies the CVV2, CVC2, CID, or CAV2 and/or PIN information which may have been taken during a payment over the telephone.

Furthermore, Card Organisations advise Merchants to:

  • Ask the customer for more than one phone number and call this customer back later.
  • Ask for the complete name on the front of the card.
  • Send a note to the customer’s billing address, rather than the shipping address.
  • Explain to cardholders why you are requesting additional information and that it is to protect them from fraud.  

For further information about payments over the telephone or MOTO merchant accounts, please contact Centus.



See more