If you care about your supporter’s card data, make sure you don’t see it!

With more and more organisations appreciating the sensitivity of customer credit and debit card details, it won’t be long before it becomes rare and possibly even unacceptable to verbally take a card number over the phone.

And this seems more than obvious – what could be more insecure and open to fraud than someone asking for your card details, more often than not repeating them aloud in a busy call centre environment, or perhaps writing them down to input later, or storing in them in a database – which can be incredibly high-risk?

As a consumer, you might have already experienced the new technology yourself: when either donating or purchasing an item over the telephone, the operator no longer asks for your details, but transfers you to an automated service, which is completely secure, protects sensitive cardholder data and undoubtedly reduces card fraud.

Not sure what we’re talking about? Then this video, explains it perfectly:

Here at QTS, we have just started offering this service to all our clients. And you might recall from an earlier blog, that we chose this particular service as it is fully PCI DSS compliant.

What does PCI DSS compliant mean?

PCI DSS is the worldwide Payment Card Industry Data Security Standard – and it enforces tight controls surrounding the storage, transmission and processing of cardholder data that organisations handle. The payment standard has high-level requirements in the following categories:

  • Building and maintaining a secure network
  • Protecting cardholder data
  • Maintaining a vulnerability management programme
  • Implementing strong access control measures
  • Regularly monitoring and testing networks
  • Maintaining an information security policy.

Why is PCI DSS important?

If your systems are PCI DSS compliant, it means that your organisation is doing everything it can to keep your supporters’ valuable information safe and secure and out of reach of those who could use this data for illicit purposes.

And while reaching and maintaining PCI DSS is important for any organisation that stores, transmits or processes card data, compliance is much easier to achieve if you do not actually hold the data – and this significantly reduces the risk of your supporters being affected by a data breach. So in short – if you don’t need the data, don’t store it.

How do we know if we are already compliant?

If you take card details over the phone, then ask yourself these questions:

  • Can you ensure data is not written down or entered into a separate application?
  • Can you ensure that photographs or screenshots of transactional data are not taken?
  • Can you ensure DTMF tones played to employees?
  • Can you keep card details completely secure?

If you can’t say yes to any of these questions, then it’s unlikely you are already compliant.

If we are not compliant, what might happen?

If you store card data and suffer a data breach and you are not PCI DSS compliant, then you may be prevented from accepting future payments by card – and you could also incur fines for the loss of this data, which could be up to £50,000 per infringement.

You may also be liable for any fraud losses incurred against lost card data and the costs of replacing the accounts. If you are suspected to have suffered a data compromise, you will be required to engage with a PCI Forensic Investigator (PFI) to establish the source of the breach to ensure any compliance gaps are closed. The cost of a forensic investigation can run into thousands of pounds – and you will be liable for these costs if evidence of a compromise is established.

Whilst the fines and other costs are considerable, the reputational damage to your organisation could also be catastrophic as supporters may lose confidence in your ability to secure their sensitive personal, business and card data.

How can we implement a PCI DSS system?

If you are not confident that your current system is fully compliant, then there are many options available to you on the open market. However, several of these are solutions requiring significant investment in additional hardware and software which requires to be maintained. This is why we opted to work with BCH Digital who provide a simple bolt on technology in a system called Assist. This gives our clients maximum flexibility, does not require hardware and phone system changes on-site and is an incredibly efficient way to collect donations. We even offer clients the opportunity to bespoke the message on the inbound phone number, as well as personalising the telephone number to dial in to, which improves authenticity for the supporter. And – you have the chance to test out the process and see how easy it is for your supporters to make a donation. Get in touch and we’ll send you the instructions for this.

In summary, as John Hanson from our supplier BCH Digital says,

“I’m amazed that so many companies have invested so much time and resource into GDPR to protect customer data, and are still openly exposing themselves to even bigger security issues when taking credit/debit card payments over the phone! Surely amongst all the data that we acquire, nothing could be more sensitive than personal credit and debit card details?”

We are confident that this is the way forward for our clients taking credit and debit card payments over the telephone, and we think it’s only a matter of time before current insecure practices are outlawed. Want to find out more? We’d be happy to chat to you about it – drop us a line or give us a call to set up a no obligation meeting.

About the author: Ben Suffell

Leave a Reply

Your email address will not be published.