Are you Taking Credit Card Details the Legal Way? 

best ip business phone system provider uk pci card details

Businesses that take card payments over the phone are required to adhere to the Payment Card Industry Data Security standard (PCI DSS) compliance regulations. Businesses that don’t may be liable for non-compliance fines, and may be forced to stop accepting payments by card.

PCI DSS was created to prevent credit card fraud in 2004. The legislation puts the responsibility for avoiding fraud onto the merchant. Therefore it is essential that businesses are following the regulations.

There are 4 different ‘merchant levels’ based on how many credit card transactions your organisation does per year.  These levels determine exactly what you must do to be compliant.  Regardless of your level, no business is exempt from PCI DSS regulations.

To be successful in fraudulent activities the perpetrator must have both the card number and the CV2 number, along with key information such as the name and full address. Because of this, it is advised that CV2 numbers are not recorded during calls.

For businesses that take credit card payments over the phone, this has historically proved a difficult task, especially for companies that use call recording. Most businesses use one of the following solutions.

  • Pause and resume the phone call recording while the customer gives their credit card details
  • Mute or mask the CV2 number
  • Use keypad payments, in which card details are entered into the keypad, therefore there is no need to pause the phone call at any point

Unfortunately, methods one and two are not entirely reliable. Most of these types of solutions rely on the agent pausing or muting the audio (or the call recording), and as with any manual activity there is always the risk of human error.

The third option is the most secure, and VTSL partner, Syntec, offer a simple and effective solution for businesses wishing to go this route. The CardEasy service, which is available to all VTSL customers, captures the card number and CV2 entered by the customer using their telephone keypad, with the agent remaining in conversation throughout. CardEasy automatically blocks the audio in the direction of the agent for the middle six digits of the card number and the CV2, which prevents your agents and call recording system from capturing these sensitive details should the customer read them out as they are entering them using their telephone keypad.

This data is then conveyed to the Syntec CardEasy Core that collates this information and forwards it to the PSP for processing, returning the result to the agent.

With the upcoming General Data Protection Regulation taking effect next month, ensuring credit card details are secure is of paramount importance.  Not only will businesses be breaching the PCI regulation if details are hacked, but they will also be liable for data loss under GDPR.


About VTSL

VTSL is a leading provider of business telephony to organisations across the UK and Ireland.  VTSL’s hosted VoIP business phone service offers organisations a powerful, easy to use telephony system that they can control, all at a low per user cost. With integrations for CRM systems, web browsers, mobiles and more, VTSL’s technology can bring your business to the forefront of communications technology and empower your staff to do more.  Get a free quote or consultation today by calling 020 7078 3200 or emailing


Topics: Telecoms, Industry News