Gala Technology Limited
+44 (0) 1709 911 661

How do I take secure & compliant payments over the phone?

First things, First.

The first step, for any business that is looking to accept debit or credits card payments, whether that is face to face, online or over the phone is to create a merchant account.
Merchant taking a payment over the phone
If you already have a merchant account in place and are accepting card payments then please read on. If you’re completely new to accepting credit or debit card payments, though, you’ll need to apply for a merchant account before you can start. Merchant Accounts are normally sourced from a Merchant Acquirer or an Independent Sales Organization (ISO)​ whom will provide you with a Merchant ID (MID), which is unique identification number assigned to the business.

Merchant Acquirers, tend to be a financial institution that processes a payment transaction, such as credit or debit card payments, on behalf of a merchant.​ Simply put the Acquirer will ‘Acquire’ the money from the customers bank account and ‘settle’ it into​ the business account associated with the merchant ID (MID)​. The Acquirer will charge a percentage on the transaction value for providing this service (Merchant​ Service Charge). These rates can vary between card types (Visa, Mastercard, AMEX etc) and whether​they are debit, credit or commercial/business cards.
It is very important that a business understands the charges associated with a merchant account. Gala Technology can provide some free and independent advice, cutting through the industry jargon and help you set up the right merchant account for you, with the right provider. Click here to find out how.

Taking Payments over the phone.

These types are payments are known in the industry as MOTO (mail order/telephone) Sometimes these are also referred to as 'Cardholder Not Present' or CNP for short. This means that the cardholder/customer is not present to use Chip & Pin to authenticate the transaction as they would in a physical shop, often using their 4 digit pin code to prove the card belong to them. So what are your options for taking payments over the phone.
Option 1:
Use your card terminal. (Non-Secure Process)

Whilst card machines are generally used for 'face to face' or 'cardholder present' transactions in physical locations, they can be used for telephone payments.

In order to do so, the cardholder would need to read out their sensitive card data, typically their long card number, expiry date and the 3 digits on the reserve of the card, to which the business will key in to the card terminal.
Pin Entry Device
Non Secure Payments
You should be aware of the associated risks and costs of accepting telephone payments in this manner. Two simple checks, behind the scenes will occur, to check whether the card has been reported lost or stolen and whether there is enough funds in the account to complete the transaction. At this point you will get an authorisation or decline notification.
You must clearly understand that an authorisation does not guarantee payment.
Because, the business has no idea of whether the voice on the other end of the phone, is indeed the genuine cardholder or a fraudster using compromised/stolen data, they become liable for fraud related chargebacks, should the cardholder challenge the transaction, claiming that they never authenticated the payment.

Last year (2019) in the UK, over £620.6m was lost to fraudulent transactions using UK payment cards. It is therefore suggested that you should only deliver goods or service to the 'registered cardholders address' Because of the associated risk of fraud, acquirers will tend to charge you a higher rate to process the transaction. This is often referred to as a 'non-secure' transaction rate.​Another consideration, is that by asking the cardholder to read their details out to you, triggers your PCI DSS requirements to protect them and increases your risk of reputational damage.

If you cannot evidence to your acquirer that you are PCI DSS compliant​, you may be charged additional fees each month.
Option 2
Use a Virtual Terminal. (Non-Secure Process)

A Virtual Terminal is a web based portal that can be accessed through a desktop, tablet or mobile device. Designed for merchants to use when taking mail order or telephone payments to process credit and debit card payments, as well as refund transactions, all in real time.

The process for taking payments over the phone will vary, depending on your provider. You’ll need to:

  1. Log in to your virtual terminal with the account details your provider has given you.
  2. Follow the on-screen prompts to enter the customer’s details. Usually, you’ll need their long card number, the card’s expiry date, and the card security code.
  3. You might be required to ask for further information for security purposes, such as the name on the card, or the billing address.
  4. Submit the transaction and keep the customer on the phone while it is being processed
  5. Once the payment has been approved, your can dispatch the goods to the customers postal address.

Businesses need to be aware that these are often promoted as a 'secure' way to process MOTO transactions. In our opinion, this is a little misleading as transactions processed through a Virtual Terminal, may be processed as and charged at a 'non-secure' transaction rate​, by your merchant account provider. Again, the cardholder needs to provide their sensitive card data, typically their long card number, expiry date and the 3 digits on the reserve of the card, to which the business will key in to Virtual Terminal. Additional checks such as 'Address Verification Services' (AVS)​, are often commonplace, however if you use a Virtual Terminal, your business is liable for fraud related chargebacks, should the cardholder challenge the transaction, claiming that they never authenticated the payment. It is therefore suggested that you should only deliver goods or service to the 'registered cardholders address'. PCI DSS requirements are also triggered, causing additional time, effort and cost.
Option 3:
Use our multi-award winning, SOTpay technology.
SOTpay User
Secure Payments

How does our innovation help?

Our cloud​-based technology does not require any additional hardware or amendments to existing telephony or ​network set up and is Acquirer and Payment gateway agnostic. Totally eliminating the need for capital expenditure, SOTpay can support businesses of all shapes and sizes in any sector.

SOTpay​ eliminates the risk of fraud related chargebacks for businesses, by authenticating MOTO and​Omni channel CNP transactions and processes the payment in a PCI compliant manner, converting a risky ‘non​-secure’ transaction into a ‘secure, authenticated, compliant’​transaction in the eyes of the acquiring partner, the merchant can see significant savings in their​Merchant​ Service Charge's.​ We have seen businesses save in excess of £40,000 per annum,​following the deployment of SOTpay.​

SOTpay enables you to send out an electronic payment request in real time, via email, SMS, web chat or electronic invoices.
The flexibility of the SOTpay technology enables the merchant to accept secure and compliant​ transactions across numerous channels, boosting business by allowing cardholders to complete​ transactions in their desired channel of engagement. For example, if someone is engaging with the​ business on Facebook, SOTpay allows the business to take payment within the Facebook Messenger​ environment.

By preventing cardholder data in its entirety from entering the merchant environment, SOTpay makes achieving and​maintaining PCI DSS compliance easier and more manageable for your business. With liability for fraud related chargebacks eliminated the merchant can also deliver to an alternative​ delivery address, instead of just to the registered cardholder’s address.

As a disruptive payment technology, the PCI SSC updated their Global ‘Protecting Telephone Payments’​ guidelines to include our innovative approach, which gave us tremendous credibility within the​ acquiring industry. We have subsequently become partners to some of the largest payment​ organisations in the world, helping to protect and support​ their merchants against the challenges that business face.
Don't just take our word for it...
Take a look at some of the industry accolades we have won in recent times.
Gala Technology - Recent Awards
Get a Gala Technology Brochure
Get a SOTpay Demo


Gala Technology Limited, Unit 10 Farfield Park, Manvers, Rotherham, South Yorkshire, S63 5DB
Armor Secure Hosting  DMARC - Email Protection  Data Protection People
what3words location ///balance.buyers.shrug


Copyright © 2015 - 2021 Gala Technology Limited. All Rights Reserved.