Retailers beware – telephone card payment fraud a ticking time bomb
Written by Chris Harris on June 1, 2020
Covid-19 has changed the way business is done and how payments are taken, with many business owners having to move their business from face-to-face to online and over-the-phone, with some business owners and employees now working from home. Card data is personal data and regardless of Covid-19, must be kept secure.
This is difficult to do in normal times and even more so in a home working environment. It is also critical that if payments are taken over the phone,
the business can hold onto the payment afterwards.
When a business or merchant wants to take telephone payments, it will normally be told to either key the card data into a terminal/card
reader or to consider a ‘virtual terminal’. A virtual terminal is a web-based application used by the merchant to key enter the customers card data,
which is verbally provided by the cardholder, then manually entered into the virtual terminal by the merchant. However, telephone payments processed in this way are not protected for the merchant in the same
way that face-to-face Chip & Pin and e-commerce payments are protected.
When a payment is made in face to face environments, the cardholder authenticates the payment with a PIN – something the cardholder knows. Similarly, when paying on the internet, as well as entering the card number, the cardholder enters the expiry date and the 3 digits from the back of the card into the browser, and enters the requested 3 digits of their password – something they know.
In a telephone payment, however, because the cardholder cannot be authenticated it is classed as a non-secure payment. Consequently, liability for any fraud lies with the merchant, regardless of whether the payment was authorised when originally processed. Obviously because authentication is not required, the card data from a telephone
payment is very valuable to fraudsters. In the current climate telephone
payments will become more of a magnet for fraud.
A better solution for business is ‘Pay By Link’. In this scenario, instead of the business taking the card information from the cardholder and key entering it into a terminal or virtual terminal, the card holder is sent a link to the acquirer and the cardholder enters the card data onto the acquirers hosted payment page, keeping all card data out of the merchant environment. Using this method of payment also facilitates authentication of the cardholder, securing the card data for the merchant, moving the liability for any fraud from the merchant back to the card issuer.
This means the business can provide goods and services confident of being able to hold onto the payment, eliminating fraud related chargebacks to the retailer.
If you are worried about the potential impact on local businesses and organisations, advice can be found here, or you can tune in to Adrian Pryce on Open4Business, every Tuesday evening 7-9PM.