MoMo Productions/Getty Images
Key takeaways
- Credit card payments made over the phone or internet are classified as “card- not-present” (CNP) payments.
- CNP payments come with more fraud risk for both merchants and consumers.
- Businesses who follow PCI data security guidelines should have systems in place to help protect consumers’ card data.
- Paying over the phone with a credit card is generally safe, provided you take certain precautions.
By 2027, worldwide e-commerce sales are expected to reach $7.96 billion — an increase of about 61 percent over e-commerce sales since 2021, according to a 2024 report from eMarketer. As this trend of internet and phone shopping keeps growing, so-called “card-not-present” (CNP) shopping activity (which are transactions where you don’t physically swipe your credit card) continues to grow with it.
Although consumers are becoming more comfortable with these types of transactions, there are still various concerns to consider. For instance, whenever you make a credit card purchase online, certain types of data are stored. But is it safe to give your credit card number over the phone? While it may make it more difficult for a company to store your information, how is that information actually handled?
Phone sales are risky for merchants
Phone and internet sales present more risk for merchants than sales where a card can be physically swiped. In fact, eMarketer expected CNP transactions to account for 73 percent of all credit card fraud losses (totaling $9.49 billion) in 2023. That’s why merchants pay more in swipe fees to accept card-not-present transactions.
Considering this risk, and also because they can’t see your card, merchants involved in phone transactions are likely to ask you for card details when completing a transaction. For instance, they may want to know:
- Your full credit card number
- Your name as it appears on the card
- The card’s CVV (card verification value) or security code
- The expiration date on the card
- Your billing address with zip code
- Your phone number
They may even ask for information that would be on a driver’s license, such as your date of birth and license number.
In spite of the risks of card-not-present transactions, merchants continue to conduct business over the phone — mainly because it also offers some benefits. For instance, some customers might prefer to conduct business with a human who can answer their questions, while others may not have a physical storefront to conduct business.
Security standards for credit card transactions over the phone
While paying over the phone with a credit card means you won’t physically swipe your card, these purchases differ from in-person and online purchases in other ways, as well. For starters, you are conducting the transaction with a human agent — which leads to some additional security concerns. There is a possibility that the agent could compromise your data, either intentionally or unintentionally, or your data could be intercepted by a third person while you are on the call. That’s why the calls should always be conducted over secure networks.
Major card issuers have set up the Payment Card Industry Security Standards Council that maintains a Data Security Standard (PCI DSS) governing how merchants should deal with customers’ card information that they receive. The PCI DSS also lays out how to protect information gathered through phone-based transactions.
The PCI standard says that merchants should not retain your card’s CVV or other sensitive authentication data after use (unless there’s any government regulation that supersedes the PCI standard). Also, whenever possible, they shouldn’t store your full primary account number. If storing your full number is necessary, businesses should not store it without taking adequate protections (such as making sure it cannot be read). They can store other input such as your name and the card’s expiration date.
Guidelines for recordings
The PCI standard says that merchants should not record sensitive details you give them over the phone. If a call is being recorded while you deal with an agent, as it might be for customer service purposes, the recording should be paused while they gather that input. This precaution would prevent any interception by a third party that searches a recording. Another way to prevent recording would be to input the details on the phone’s keypad.
In case the recording cannot be paused while you are providing sensitive card authentication information, the agent should delete the information after the transaction is authorized. If the information cannot be erased, the merchant should have adequate security protections in place to ensure that outsiders cannot search for and retrieve this sensitive information.
For instance, they should only allow essential personnel access to the data and the information should be encrypted or otherwise rendered unreadable.
How to protect yourself
Having your credit card information stolen isn’t just annoying, it can also be dangerous. Although not all instances of credit card fraud can be prevented, here are some tips for keeping your card details safe while making over-the-phone transactions:
- Ensure you’re dealing with a legitimate company. Prior to making a credit card payment over the phone, be sure that you’re dealing with a reputable business. Get recommendations from friends and family, visit the company’s website and read online reviews about the company prior to engaging in a transaction.
- Only provide your card details if you called them. Never make a credit card payment over the phone if a company calls you unexpectedly. Scammers attempt to steal your personal information by calling you and posing as a legitimate business. Once you’re ready to make a purchase, be sure that you call the company directly. Should you receive a call from a company that you’re considering doing business with, ask to call them back on at a phone number that you have confirmed is legitimate.
- Use a credit card when paying over the phone, not a debit card. In general, credit cards offer much better fraud protections than debit cards. Although debit cards offer some protections (depending on when you report the fraud), you will likely still be liable for some — if not all — of the fraudulent charges made on your debit card. Most credit cards offer “zero liability” protection, which makes them safer for payments made over the phone.
- Confirm the amount of the charge and get a confirmation number. Before you get off the line, be sure you double-check how much you’re being charged by the vendor. Write down the amount of the charge and your confirmation number. Store them both in a safe place in case you need it later.
- Monitor your account for fraudulent charges. As always, it’s important that you regularly check your credit card accounts for fraudulent charges. If you see any suspicious activity, be sure to report it to your card issuer immediately.
- Consider using an identity theft protection service. In addition to signing up for account alerts from your issuer, consider using an identity theft protection service. These services monitor your personal information and help protect you from fraudulent activity. Many of them also provide identity theft insurance and other assistance in the event your information is stolen by criminals.
The bottom line
As internet and phone shopping becomes increasingly popular, card-not-present transactions have also grown. Unfortunately, that increases security concerns for consumers, as well.
So, is it safe to give your credit card number over the phone? The card industry has security standards on how merchants should deal with the information they collect over the phone so that customer security is not compromised. This standard prohibits the storing of authentication data and limits the storing of other card data.
With that in mind, phone calls can be recorded, and your data can be stored if it is essential. Merchants should have adequate protections for stored data in order to stay compliant with the Payment Card Industry standard. In such transactions, it seems you are more at risk from a rogue agent writing down your card details than the safety of your stored data.
Read the full article here