MOTO payments and PCI compliance: in-scope vs descope

MOTO payments continue to be an essential piece of the card payment landscape, with around half a billion MOTO payments processed in the UK each year. For many businesses, particularly retailers and food outlets, MOTO payments offer an essential alternative to online channels, enabling more customers to access their products and services. Despite the continued reliance on this payment method, there remain many challenges for businesses in addressing card security, protecting data and complying with PCI DSS.

What is a MOTO payment?

A MOTO (Mail Order/Telephone Order) payment is a debit or credit card payment that is taken over the phone or via postal mail and email. Because the cardholder is not visible to the business, MOTO payments are considered a ‘Card-Not-Present’ (CNP) transaction and, by their very nature, involve risk through the passing of card data from customer to call handler. This type of payment is exempt from the recently introduced SCA (Strong Customer Authentication) requirements because of the limitations of being able to confirm the identity of the customer at the time of the transaction.

When it comes to addressing PCI DSS in MOTO payments, businesses have two options. They can choose to remain ‘in-scope’, retaining responsibility for ensuring that their transaction environment and processing complies with PCI guidelines. Alternatively, they can look to install an external card payment processing solution that handles and manages transactions outside of the business, removing (or ‘descoping’) the whole process from the business’s PCI obligations.

Remaining in-scope

The benefits of keeping card payments in-scope for PCI DSS compliance include keeping costs low and maintaining complete control of the transaction environment. But, without in-house expertise, that does mean increased risk. MOTO payments require cardholders to read sensitive payment card details over the phone that are then either written down or entered directly into a physical terminal by the call handler for processing. To make this process compliant with PCI DSS, the business must demonstrate that it has procedures in place to alleviate the possibility of those card details being lost or stolen. This could include ensuring that any written record of card details is destroyed and prohibiting the storage of data once the transaction is complete.  For larger call centres, a ban on using pens and writing implements while on calls is sometimes put in place.

Having these procedures demonstrates the business’s intent to protect card data that will enable it to achieve PCI compliance via annual self-assessment. However, what they don’t do is offer significant protection and security from human error, malicious intent or cyber-attack. With even the strictest of procedures in place, if a business falls victim to attack that results in a breach of customer card data, it will still be liable for a financial fine and suffer the resulting reputational damage.

Descope from PCI compliance

While there is an obvious appeal to remaining in-scope – reducing cost outlay and keeping control – it is worthwhile considering an external card payment processing solution that ‘descopes’ the transaction environment from within the business’s PCI obligations, onto that of a service provider. This not only cuts out the pressure and resources required to achieve compliance but also significantly increases security, ensuring that customer card data is less likely to fall into the hands of fraudsters. While there is a financial commitment involved in installing the technology, this is offset by a huge reduction in risk.

At PCI Telecom, our PCI Agent solution allows businesses to accept and process card payments over the phone via a uniquely secure and PCI compliant system. The customer is asked to enter their card details via their phone keypad that connects directly with our cloud-based system, with DTMF masking to hide the tones and at no point being visible to the business. The call handler remains on the line to the customer throughout the entire transaction, maintaining personalised interaction and a positive customer experience. Being cloud-based, our PCI Agent solution requires no expensive or intrusive equipment to be installed on site and it can work independently or as part of our wider suite of multi-channel solutions, including AUTO IVR and Online.

You can start the process of descoping your business from PCI DSS and securing your card payments by contacting us today.