A card-not-present (CNP) transaction occurs when a customer makes a purchase without physically presenting their payment card. Taking payments over the phone, often called Mail Order/Telephone Order (MOTO), provides flexibility and convenience for customers who cannot complete an in-person or online transaction. This method allows businesses to secure sales and deposits remotely. However, the business assumes the responsibility of securely capturing and processing sensitive financial information.
Essential Tools for Card Not Present Transactions
The fundamental technology supporting phone payments is the Virtual Terminal, a software application that allows a merchant to accept payment without the physical card. This tool is the online equivalent of a physical point-of-sale (POS) terminal, transforming any internet-enabled device into a payment processing interface. The staff member manually keys in the customer’s card details directly into the secure web page during the call.
The Virtual Terminal sits atop a Payment Gateway, which is the underlying system that facilitates communication between the merchant, the customer’s bank, and the merchant’s bank. This gateway handles the secure transmission of the card data to the payment processor for authorization. This structure is purpose-built for CNP transactions, ensuring the data is encrypted and sent securely once entered.
Ensuring Security and Compliance Requirements
Any business accepting credit card payments, including those over the phone, must adhere to the Payment Card Industry Data Security Standard (PCI DSS). This mandatory set of requirements was established by major card brands to protect cardholder data and prevent its misuse. Non-compliance can result in severe financial penalties and fines from banks and card networks.
A primary rule within PCI DSS is the strict prohibition against storing sensitive authentication data after authorization, including the Card Verification Value (CVV/CVC). This prohibition applies to all forms of storage, whether electronic, handwritten, or on call recordings. Merchants must also protect the Primary Account Number (PAN), or full card number, by rendering it unreadable if stored, typically through encryption or tokenization. Businesses must ensure all systems, including telephony environments and staff workstations, maintain appropriate security controls.
Step-by-Step Procedure for Taking Payment Details
The process of taking a payment over the phone requires a structured and consistent approach to ensure all required data is captured securely and accurately. The staff member should first confirm the total transaction amount and explain that they will be moving to the payment phase of the call. Using a standardized script helps ensure that all necessary information is collected in the correct order, which minimizes confusion and reduces the risk of errors.
The agent then systematically requests the necessary details for manual entry into the Virtual Terminal. This includes the customer’s card number, the card’s expiration date, and the Card Verification Value (CVV). To meet fraud prevention requirements, the agent must also collect the customer’s billing address, specifically the street number and the zip or postal code associated with the card.
As the customer provides the information, the agent should enter it directly into the Virtual Terminal rather than writing it down on paper, which can create an unsecured environment. Clear communication is important, and the agent should repeat the details back to the customer to verify accuracy before submitting the transaction for processing. If the transaction is declined, the agent should handle the error professionally, perhaps confirming the details again, or suggesting an alternative card, without compromising customer service.
Minimizing Transaction Risk and Preventing Fraud
Card-not-present transactions inherently carry a higher risk of fraud and are statistically more susceptible to chargebacks compared to card-present transactions. To mitigate this heightened risk, merchants must utilize specific verification methods during the payment process. One primary tool is the Address Verification Service (AVS), which compares the numeric components of the billing address provided by the customer against the address on file with the card issuer.
When the merchant submits the payment request, the AVS check returns a response code indicating the degree of address matching, such as a full match, a partial match, or a mismatch. A full match provides a stronger indication that the person using the card is the legitimate cardholder, while a mismatch may prompt the merchant to decline the transaction or flag it for review. The second defense layer involves capturing the Card Verification Value (CVV), which is designed to prove that the customer has physical possession of the card.
Financial liability for fraudulent charges in CNP transactions generally falls upon the merchant, unlike card-present transactions where liability often rests with the card issuer. This liability shift means that a fraudulent transaction resulting in a chargeback causes the merchant to lose the sale amount, any shipped product, and an additional chargeback fee. Implementing verification steps like AVS and CVV checks helps reduce the merchant’s exposure to these financial losses.
Post-Transaction Record Keeping and Confirmation
Once the Virtual Terminal confirms the transaction as successful, the agent must immediately communicate the outcome to the customer. Providing a transaction reference number during the call is a strong best practice, as it gives the customer an immediate identifier for their purchase. The business is then required to provide a formal transaction confirmation or receipt to the customer, typically sent via email or post.
The confirmation document should include the transaction amount, the date and time of the payment, and a clear description of the goods or services purchased. For internal purposes, the successful transaction should be logged in the business’s records, often within an Enterprise Resource Planning (ERP) or customer relationship management (CRM) system. The business must ensure that the short-term data retention rules mandated by PCI DSS are strictly followed.
Common Mistakes to Avoid
A frequent pitfall is the failure to consistently verify the customer’s billing address using AVS, which increases the likelihood of absorbing fraud losses and may result in higher processing fees.
Common Mistakes
Recording or storing the Card Verification Value (CVV) in any manner, including electronic databases, handwritten notes, or call recordings.
Permitting staff to write down or temporarily store full card numbers on unsecured items like sticky notes or scrap paper.
Using unsecured communication methods, such as texting or instant messaging, to request or send card numbers.
Processing transactions without adequate staff training on security protocols and the proper use of the Virtual Terminal.