Most of us are so comfortable making payments over the Internet that we barely think twice about the security implications. But the same can’t be said of transactions made over the phone.
Why is that? They’re both card-not-present payments, and you’re essentially doing the same thing: providing your card details to an organisation.
The only difference is that, over the telephone, you speak to and hear the person processing your transaction. Surely that’s more secure than typing your details into an online form?
The answer is ‘sort of’.
Risks of telephone payments
There are security risks with almost every business process, and the danger is exacerbated whenever financial information is involved.
However, the most significant threats related to telephone payments aren’t criminal hackers but the person on the other end of the line. Sure, a fraudster could bug a telephone line and copy card details, but that’s much less effective than breaking into databases, so almost no one does it.
Fraud is far more likely to occur as a result of staff misusing information. Unlike online payments, which are often automatic with the details rarely seen by humans, those in charge of taking phone payments not only see the payment card details but also write them down – and they may be tempted to keep their own personal copy of those records.
Most employees wouldn’t risk their job to commit fraud, particularly given that investigators could quickly link their organisation to the crime, but you should never underestimate insider threats.
According to Ponemon Institute’s 2018 Cost of Insider Threats, more than one in five security incidents were caused by malicious insiders. After all, it only takes one rogue employee abusing the system for a breach to occur.
The threat is even more substantial when there is no documented evidence of who took the phone call and processed the transaction. Although many organisations appoint someone dedicated to handling card payments, there is often a casual policy where any available employee can do it.
That makes it simple for an employee to pick up the phone, take the payment card details and deny having spoken to the customer. There’s no proof that the exchange took place, and the organisation wouldn’t know who to blame.
Employees make mistakes
Organisations also need to watch out for accidental breaches when processing payments over the phone. Employees often write the payment details on paper, which could be used to commit fraud if improperly disposed of.
This could occur in many ways. The employee might leave the paper sitting on a desk for anyone to see, or throw it away, where it could be recovered by cleaners, employees rooting around in the bin, or anyone else who finds it after it’s left your premises.
How significant is the threat of telephone payment fraud?
The risks we’ve outlined in this blog are serious enough for organisations and individuals to be concerned, but the danger can be mitigated with appropriate processes and policies, which are outlined in the PCI DSS (Payment Card Industry Data Security Standard).
The Standard is designed to reduce fraud and ensure card payments are processed securely. It applies to all organisations that accept card payments – be it online, in person or over the phone – and outlines the steps that must be taken when storing, transmitting or processing cardholder data.
The PCI DSS contains 12 core requirements that span technological solutions, processes, policies and staff awareness requirements. When these are fully implemented, organisations will be able to:
- Build and maintain a secure network;
- Protect cardholder data;
- Maintain a vulnerability management programme;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
Become a PCI DSS expert
Our PCI DSS Online Course explains everything your staff needs to know to stay secure. It’s designed for all employees, not just those with a cyber security background, and provides simple explanations of the way the Standard works and how employees can meet its requirements.