From Accepting Credit Cards Over the Phone to Virtual Terminals: Ensuring PCI Compliance and Reducing Risks

Having staff accept credit card payments over the phone can be a convenient option for businesses and organizations, but it also brings with it specific security obligations under the Payment Card Industry Data Security Standard (PCI DSS). For organizations that manually enter customer credit card data into a virtual terminal (VT), compliance isn’t just about using a PCI-compliant virtual terminal or PCI compliant card entry application; it begins well before the card information is keyed in. Let’s explore what the PCI DSS requires for handling these transactions, particularly under the Self-Assessment Questionnaire (SAQ) C-VT, and discuss some alternatives that can reduce your PCI compliance burden.

Your Responsibilities Start Before the Virtual Terminal

Even though you may be using a PCI-compliant application to process payments, the moment you accept card details over the phone, your compliance obligations begin. Handling credit card information verbally presents risks, such as:

  • Accidental recording or storing of cardholder data, particularly if phone calls are recorded for customer service purposes.
  • Human errors or data breaches, where sensitive data may be written down or overheard by unauthorized individuals.
  • Device security where the card information is entered, ensuring that the computer or device is protected against malware or unauthorized access.

These factors mean that businesses must enforce strict security controls throughout the process, even before reaching the stage of entering data into a virtual terminal, billing system, or CRM tool.

If your staff accepts and captures credit card information over the phone and enters it into a virtual terminal or payment software interface, you must comply with PCI guidelines and complete the Self-Assessment Questionnaire (SAQ C-VT), where “VT” stands for Virtual Terminal.

Understanding Self-Assessment Questionnaire (SAQ) C-VT: What Does It Cover?

The SAQ C-VT is specifically designed for organizations that process credit card payments using a virtual terminal via a computer connected to the internet. This applies to scenarios where employees manually enter cardholder data into a PCI-compliant virtual terminal provided by a payment processor. In addition, SAQ C-VT also covers situations where staff enter cardholder information through a billing system, CRM, or web-based application that integrates with the payment processor/gateway. These systems allow employees to manually input and process payments through a connected platform. Other SAQ’s may apply depending on who built and manages the application where the credit card in entered.

While the virtual terminal and related applications may be provided by a reputable, PCI-compliant payment processor, it’s important to understand that compliance doesn’t stop there. The responsibility for protecting sensitive cardholder information begins the moment it is collected. Whether your staff is entering data directly into a virtual terminal or using a billing or CRM tool that links to the payment gateway, you are responsible for ensuring that all processes, systems, and handling methods are secure.

According to the PCI SAQ C-VT, your responsibilities include and are not limited to:

  1. Card Collection by Staff: Staff can take card details over the phone but must never write them down or store them anywhere once the payment is processed.
  2. Card Data Entry into Virtual Terminal: Employees must log in with their own username and password to access the payment system. Additionally, they may need to confirm their identity (like a code sent to their phone). Payments must always be processed on a secure website (look for “https” in the web address).
  3. Requirements for the Computing Environment: The computers used for taking payments need up-to-date antivirus software, a firewall, and should only be used for payment processing—no browsing or other activities.
  4. Physical Security of the Location: The computers used for entering card details should be in a secure area where only authorized employees have access. Any paper receipts or documents with card details must be securely stored or shredded immediately.
  5. Network and Internet Requirements: The internet connection used for payments must be secure. If using Wi-Fi, it should be password-protected and only accessible to authorized staff.
  6. Regular Maintenance and Monitoring: Regular updates to software and security checks are required to keep the payment systems safe. Logs of transactions should be checked regularly to spot any unusual activity.
  7. Prohibited Practices:
  • Staff should never store sensitive card details (like CVV codes) after the payment is completed. Always use secure connections for processing payments and follow company and PCI security policies.

  • Never prompt callers to leave their credit card information in your voicemail.

  • Calls must never be recorded , especially when the card data is being obtained.

Alternatives to Staff Handled Phone Payments: Moving Toward SAQ A Compliance

One way to reduce your compliance burden is to limit or eliminate the need for your staff to manually handle card data. This can help you qualify for the simpler Self-Assessement Questionnaire (SAQ) A , which has fewer complexities for you to handle because it applies to environments where businesses don’t directly handle or store cardholder data. Instead, you are directing the handling of credit card information to a PCI-compliant service provider. Interactive Voice Response (IVR) is one alternative which allows your customers to pay using their phone as the payment channel of their choice, while removing your staff from handling any credit card information, thereby reducing your PCI scope.

Interactive Voice Response (IVR) Payments

  1. An IVR Payment system allows customers to enter their payment information securely via their phone keypad. Because the card data is transmitted directly to your payment processor/gateway without involving your staff, it significantly reduces your PCI scope.
  2. By using a PCI compliant IVR Payment system, you can eliminate the need to complete the more complex SAQ C-VT and instead qualify for SAQ A, which covers environments where cardholder data is never stored or handled directly by the business.

While accepting credit card payments over the phone and entering them into a virtual terminal is a common practice, it comes with considerable compliance obligations under PCI DSS. If your staff handles payments over the phone, it’s crucial to secure cardholder data from the moment it is collected through to processing. However, by implementing secure alternatives like IVR payment systems, you can greatly reduce compliance risks and better safeguard sensitive customer data—freeing up your resources to focus on your core business activities.

Save hours, even days with our Complimentary PCI Scope Discovery & SAQ Wizard! Let us quickly help you better understand your PCI scope, identify the exact Self-Assessment Questionnaires (SAQs) your business needs, and demystify the PCI paperwork—all in just 15-30 minutes! ! Click Here to book a complimentary session. Click Here and find out what you will receive.

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance