- January 27, 2023
- Posted by: Gradeon
- Category: Compliance
Concerns over cyber-security in general and consumer protection, in particular, have never been far from the minds of governments, regulators, tech companies and consumer businesses. As the technology that powers e-commerce has become gradually more sophisticated, so too has the skill and ambition of cyber-criminals. Online thieves see every new protection as a challenge to their abilities which is almost their duty to circumvent. Taking credit or debit card payments over the phone is a major focus for those who work to reinforce and improve consumer protection.
Unfortunately, cyber-criminals are clever, resourceful and relentless. Every time the e-commerce industry appears to have plugged every conceivable hole in its infrastructure, efforts to create new ones are redoubled. For this reason, we have seen a proliferation of regulatory measures introduced which are not designed to give direct protection to consumers but to ensure that businesses adhere to the very best practices in providing that protection themselves. There is, of course, a collection of big sticks to make companies conform, but there is also the carrot of an unblemished reputation which is the reward for perfect compliance.
This is especially true when it comes to card payments by phone, which still accounts for a large proportion of remote transactions. We will look at four significant regulations, not all of which have the force of law but which are, for all practical purposes, mandatory. We will also consider the general provisions of consumer rights in relation to telephone card payments.
PCI DSS
The abbreviation stands for Payment Card Industry Data Security Standard, and it was introduced by the card industry as a voluntary scheme to which every card company signed up. Previously different companies had their policies, so this harmonisation brought a welcome simplicity.
As technology has improved the security of card-present transactions with innovations such as EMV chip cards, criminals are turning to card-not-present (CNP) channels, of which one of the most commonly used is the telephone.
The part of the standard that applies to card payments made over the phone deals with CNP fraud. A criminal needs only the primary account number (PAN), cardholder name, expiry date and in some cases, though not all, the 3-digit card verification code to gain access to a personal bank account. These are all details a consumer is required to give when making a telephone payment. Their delivery address is another piece of information handed over, but this is not quite so crucial to most criminals.
Every merchant taking payment by phone needs a merchant account and a virtual terminal. The terminal is essentially a webpage or link into which the customer’s financial information is input. This was designed as a secure method of collecting and processing data, but the very nature of telephone communication means there are vulnerabilities in this means of payment.
Firstly there is the possibility that the call has been hacked by a criminal who can simply harvest the information they need. Secondly, there is the chance that the conversation might be overheard in a busy call centre. Thirdly the call handler might use the information illegally for themselves. Then there are the risks involved in recording the information and someone being able to access those records.
Under the PCI DSS, call handlers should not repeat a customer’s information for verification as that could constitute illegally sharing the information with anyone in earshot. Neither should they write any of it down unless absolutely essential, in which case the paper it is written on must be destroyed immediately after the information has been processed.
Many companies routinely record customer phone calls, usually for training and performance monitoring purposes. However, recording a caller’s financial information is in violation of the PCI DSS guidelines, so a call handler is obliged to mute or pause the recording when the information is being conveyed so that it is kept out of the audio record.
An alternative form of the virtual terminal was developed, which now forms part of the Gradeon offer, and this enables the customer to use their telephone keypad to enter their details rather than reading them out to a call handler. From the moment of entry, they are encrypted and never in the hands of the merchant. They pass directly to the payment processing service. This does not fully address the possibility of a criminal capturing the audio-signalling that this process employs and converting it into intelligible material. However, improved phone line security is reducing this hazard.
It’s also worth considering which types of business are caught by the PCI DSS regime. An e-commerce company which uses in-house call handlers is obliged to follow the guidelines for conducting calls. An external call-handling service is similarly covered. In fact, much of the force of PCI DSS falls on service providers who process, store and transmit personal financial information, which is why they represent such an effective solution for online retailers. Gradeon offers providers in which adherence to regulations and routine encryption are inherent features of the service and can satisfy all the compliance issues of its clients.
GDPR
This is a regulation introduced by the EU. Even though the UK has withdrawn from the Union, the General Data Protection Regulation affects every business that trades to any extent with customers or companies based in an EU country.
The seven principles of the GDPR require personal data to be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…(‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed… (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality).
Lastly, the controller of the data storage system is responsible for and must be able to demonstrate compliance with the requirement of accountability. This seventh point makes it clear that not only must you be compliant, but you must be seen to be compliant.
The GDPR has a much wider application than PCI DSS because the latter is concerned with the protection and security of Mail Order and Telephone Order (MOTO) payments. The GDPR covers all forms of data handling, but of course, telephone payments fall well within this.
The regulation applies to some extent to every business, although it is more stringent with regard to large companies and corporations. If your business has fewer than 250 employees, then you are not required to keep records of your processing activities except under certain conditions. These include potential risks to the rights and freedoms of individuals as well as data which may be connected with criminal offences.
If your business contravenes any of the basic principles of the GDPR, you could face severe fines. In extreme cases, these could be as high as £17.5 million or 4% of your worldwide annual turnover.
CCPA
You could be forgiven for assuming that the California Consumer Privacy Act has little relevance to businesses operating in other markets, but its immediate effect and long-term influence are both significant.
There are three ways in which a business could be covered by its provisions:
1. Your business buys, receives or sells the personal information of more than 50,000 California residents in a year.
2. Your gross annual revenue is $25 million or more.
3. More than 50 per cent of your annual revenue comes from selling the personal information of California residents.
Sale of information is defined extremely widely as virtually any form of disclosure, transmission or sharing, provided that it is in return for some payment. If your company shares a name, trademark or brand with a company which is liable under the CCPA, then you are liable too.
Consumer rights under the act include the right to opt-out, the right to see what data you hold and the right to have their data deleted. If you fail to comply, you could be liable to a fine of $7,500 per violation and $750 for each affected user.
If the CCPA applies to your business, your website must make it clear in advance exactly what information you will collect and why. You must provide an opt-out link from the sale of their information and, for users under 16, an opt-in link. For those under 13s, parents or guardians must opt in for them.
Your site is required to carry a privacy policy which must always be kept up to date, and if you receive a disclosure request from a consumer, you are obliged to provide, free of charge, details of everything about them that you have collected in the past 12 months.
If you still think this doesn’t affect you, bear in mind that California is itself the world’s fifth-largest economy, ahead of the UK and India. It isn’t hard to imagine the state becoming a large part of your market. Furthermore, the CCPA is the first legislation of its kind in the USA, and it is highly likely that other states will follow its example, with similar restrictions soon covering most of North America.
PSD2
In 2007, the EU introduced the Payment Service Providers Directive (PSD) to promote innovation, competition and efficiency in the single payment market of the Union. PSD2 originated in a 2013 amendment designed to improve consumer protection, boost competition and enhance security in the payments market.
PSD2 is relevant to Third Party Payment Services Providers (TPPs) and those businesses that use them. The regulation recognises two types, Payment Initiation Services (PIS) and Account Information Services (AIS). For our purposes, it is PIS which is important.
These are services which provide a bridge between the accounts of the consumer and the merchant. They collect the payment information, make the transfer and inform the retailer that the transaction has been concluded.
PIS companies have to comply with the same rules as traditional payment services, which are registration, authorisation and supervision by competent authorities. PSD2 also introduces a new security requirement called Strong Customer Authentication (SCA) which uses two-factor authentication for a much wider range of financial operations. Consumers will notice these changes when they make online purchases.
You need to be certain that your TPP fulfils all its obligations under PSD2, even though it doesn’t apply directly to your business. The security features mandated by the directive are important protections for your customers and enhance your reputation as a safe, responsible enterprise.
Consumer Rights
The types of protection given to consumers under UK law are not always well known, and they are not straightforward. They are codified in the Consumer Rights Act 2015.
If someone pays for an item over the phone using a credit card, debit card, or a payment provider, then they are entitled to ask for a refund in three circumstances:
1. They did not receive the item. You aren’t required to prove non-receipt partly because the law recognises it’s impossible to prove a negative.
2. The item was broken or faulty.
3. The item did not conform to its description.
Many retailers will offer refunds in other circumstances, such as if the customer changes their mind or the item arrived too late for its purpose, but this is discretionary and in addition to the statutory rights.
If the customer paid via a TTP, they should open a dispute with them and will usually find their problem resolved smoothly.
If they paid with a credit card, they might need to use Section 75 of the Consumer Credit Act if the single item value is between £100 and £30,000.
If they paid with a debit card, they’d need to use the chargeback option, which many providers call a ‘disputed transaction’.
Claims that continue to be disputed can be taken to the Financial Ombudsman Service.
Ultimately, it is in your interest to have satisfied customers, even if, for some reason, they didn’t receive or weren’t happy with their purchase. The cost of compensating them is much lower than the damage that could be inflicted on your reputation. Many years ago, businesses might have taken the gamble that disgruntled customers wouldn’t get their case broadcast on TV’s Watchdog or Radio’s You and Yours. In the age of social media, bad reviews materialise at the click of a button.
Not only do you need to know how all these regulations, laws and directives affect how you do business, but you also need to remember to put the customer first.