Card payments via the telephone remain a popular transaction method with consumers; however they can pose a risk for merchants, as it is difficult to authenticate and verify the identity of the cardholder. Face to face transactions have the chip and pin process to help protect the merchant from fraud and chargebacks, and online payments are protected by 3D-Secure. There is no such protection with telephone payments. Instead, the caller will typically read out the card number, expiry and CVS (the last three digits on the back), to be entered manually into a physical card terminal or an online virtual terminal. This is known as a non-secure payment as the business cannot prove who has conducted the payment.
At this point, the non-secure payment will be subjected to two checks only:
If the non-secure payment is authorised, then it is processed and the goods are shipped and delivered. At this point, many merchants would consider the telephone transaction completed. This is sadly not the case, and it is vital that you understand that receiving authorisation from the terminal does not guarantee payment.
Cardholders are protected by the Consumer Credit Act 1974, which means that any misuse of the card, unless done deliberately by the cardholder themselves, must be refunded by the merchant or the card issuer, and unless a merchant protects themselves from fraudulent activity as best they can, they are ultimately where the buck stops when it comes to reimbursing a cardholder, which comes in the form of a chargeback.
What happens if the cardholder deliberately claims they did not order or receive the goods? Is my business protected?
If a cardholder makes a fraudulent claim against a non-authenticated purchase, and challenges the payment despite having placed the order, then the benefit of the doubt will ultimately land with the cardholder and the merchant will continue to be liable for the chargeback. This is known as friendly fraud.
Did you know?
In the UK in 2020, almost £575m was lost to fraudulent transactions using payment cards?
Beyond the potential for fraud, taking card payments by telephone present a risk in the form of PCI-DSS Compliance. This is not strictly a legal requirement, but it has been mandated by the payment card industry and you should absolutely ensure that your business does not take card payments without adhering to the standard.
The Payment Card Industry Data Security Standard, also known as PCI-DSS, places strict and full requirements on any merchant that handles sensitive card data. These requirements are not limited only to telephone orders, they also cover in-person transactions and online payments.
In the broadest sense, PCI-DSS requires that you as a merchant must ensure that you are doing everything in your power to restrict access to cardholder data, which will include data-encryption tools, security policies, anti-virus software, secure systems, and limited access by staff to that data. If your company suffers a data breach that could have been avoided by following the PCI-DSS obligations, then beyond the massive damage your business reputation will suffer, you may be liable for the costs of resolving the matter in the form of investigations, repaying the cost of the fraud itself, replacing any cards whose data had been jeopardised, and you would also be at risk of prosecution by the Information Commissioner’s office (ICO) for a serious breach of GDPR.
In short, no company that takes card payments in any form should be ignoring the importance of PCI DSS Compliance.
Introducing SOTpay, by Gala Technology.
Our multi-award winning cloud-based solution doesn’t require any expensive additional hardware to your current set-up. By deploying SOTpay as their payment processing system, some of our satisfied clients have saved more than £40,000 per year in reduced transaction fees, lower Merchant Service Charges, and chargebacks.
SOTpay eliminates the risk of fraud-related chargebacks for businesses by authenticating MOTO transactions, converting the risky non-secure payment into a secure, authenticated PCI-DSS Compliant payment, as the customer has either validated the payment using information that should only be known to them, they are using their pre-authenticated device to make payment, or in some cases they may use biometric data such as fingerprints. With this authentication, your business is then protected from fraud-related chargebacks.
By authenticating the telephone payment, SOTpay eliminates the fraud-related chargebacks, therefore enabling them to ship goods to addresses other than the cardholder address. This benefit is particularly useful for Business-to-Business merchants whose clients may need items delivered to alternative offices or to their own customers.
Because the payment request link keeps sensitive card information outside of your business environment, you can process secure orders not just by telephone, but through a host of other channels too, such as social media, web chat, and even video conference call.
SOTpay enables you to send out an electronic payment request via email or SMS text message to your customer when they are still on the telephone, and you are able to watch the progress of the transaction in real time as they make a secure payment. This enables you to keep the card data completely out of your business environment, therefore simplifying your PCI-DSS Compliance requirements.
Such was the innovation behind the disruptive technology used by SOTpay, the Payment Card Industry Security Standards Council (PCI SSC) amended their global guidelines on Protecting Telephone Payments to include the approach. This is a source of great pride, and has helped Gala Technology to join forces with some of the biggest payment organisations in the world.
With payment card and remote fraud continuing to rise in the digital age, it is vital that businesses protect themselves from liability and unnecessary expenditure, and help to fight the evolution of the crime by gaining PCI-DSS Compliance. SOTpay can become YOUR weapon with which to do it.