So-called “card not present” shopping activity has been on the rise in recent years, as more people shop over the internet and phone. Such transactions, where you don’t need to physically swipe your credit card, grew 55 percent in the second quarter of 2021, from 2019 levels, according to card network Visa.

As consumers become more used to these transactions, they’ve given rise to various concerns. For instance, reader Gordon writes, “I understand that when I pay for something online with a credit card, that information is often stored (regardless of whether it should or shouldn’t be). What about if I give my credit card information over the phone? It seems like this makes it more difficult for the company to store my information. Is my reasoning correct?”

Phone sales are risky for merchants

Phone sales present some risks for merchants. In fact, according to Visa, instances of fraud related to card-not-present transactions were four times the level for transactions in which physical cards were used, leading to losses of $6.4 billion in 2021. That’s why merchants pay more in swipe fees for card-not-present transactions.

Considering this risk, and also because they can’t see your card, merchants involved in phone transactions will ask you for card details.

For instance, they will want to know:

  • Your full credit card number
  • Your name as it appears on the card
  • The card’s CVV (card verification value) or security code
  • The expiration date on the card
  • Your billing address with zip code
  • Your phone number

They may even ask for information that would be on a driver’s license, such as your date of birth and license number.

In spite of the risks of card-not-present transactions, merchants continue to conduct business over the phone, mainly because it also offers some benefits. For instance, some customers might prefer to conduct business with a human who can answer their questions. And some businesses may not have a physical storefront to conduct business.

Security standards for credit card transactions over the phone

While you don’t have to swipe your card when you make purchases over the phone, they differ from online purchases in that you are conducting the transaction with a human agent.  There is a possibility that the agent itself could compromise the data, or it could be intercepted by a third person while you are on the call. That’s why the calls should be conducted over secure networks.

Major card issuers have set up the Payment Card Industry Security Standards Council that maintains a Data Security Standard governing how merchants should deal with customers’ card information that they receive. The PCI DSS also lays out how to protect information gathered through phone-based transactions.

The PCI standard says that merchants should not retain your card’s CVV or other sensitive authentication data after use (unless there’s any government regulation that supersedes the PCI standard). Also, they shouldn’t store your full primary account number, in case that is necessary, without taking adequate protections (such as making sure it cannot be read). They can store other input such as your name and the card’s expiration date.

Guidelines for recordings

The standard says that merchants should not record sensitive details you give them over the phone. If a call is being recorded while you deal with an agent, as it might be for customer service purposes, the recording should be paused while they gather that input. This precaution would prevent any interception by a third party that searches a recording. Another way to prevent recording would be to input the details on the phone’s keypad.

In case the recording cannot be paused while you are providing sensitive card authentication information, the agent should delete the information after the transaction is authorized. If the information cannot be erased, the merchant should have adequate security protections in place to ensure that outsiders cannot search for and retrieve this sensitive information.

For instance, they should only allow essential personnel access to the data and the information should be encrypted or otherwise rendered unreadable.

The bottom line

Card-not-present transactions have gained popularity during the pandemic as home-confined consumers had no other choice. The card industry has security standards on how merchants should deal with the input they collect over the phone so that customer security is not compromised.

Gordon, the standard prohibits the storing of authentication data and limits storing of other card data. However, phone calls can be recorded and your data can be stored if it is essential. Merchants should have adequate protections for stored data to be compliant with the Payment Card Industry standard. In such transactions, it seems you are more at risk from a rogue agent writing down your card details than the safety of your stored data.

Contact me at pthangavelu@redventures.com with your credit card-related questions.