Impact of Card-Not-Present Fraud

The pace of business today is real-time and instant. Customers want products and services the moment they feel they have all required information to make a decision. Consumers expect secure transactions processed and authorized in real-time while they’re on the phone. This presents a security threat. Many businesses, municipalities, and organizations do not realize the risks involved when collecting sensitive payment card information over the phone.

What is card-not-present fraud and how does it affect businesses and government entities?

Card-not-present (CNP) includes over the phone payments, internet and e-commerce transactions, and mail-order transactions where the cardholder does not physically present the card to the merchant.

The impact of this growing area of credit card fraud impacts a variety of businesses and government entities. It is no longer the banks or the credit card companies that bear the risk or responsibility for security. Breaches and theft of cardholder data affects everyone, including individuals, businesses, and government—

• Customers lose trust in merchants or financial institutions

• Individuals are at risk for bad credit scores and identity theft

• Merchants lose credibility and future business

• Government agencies risk painful audits and recovery costs

• Risk of lawsuits, class-action lawsuits, and settlement payments

Maintaining PCI Compliance is good business and it is necessary to protect yourself, and your customers, from a wide array of risk. Many of our clients, from the automobile industry to Homeowner Associations and government agencies, still rely on taking payments over the phone. This type of CNP transaction is vulnerable to fraudsters in a variety of ways.

How does PCI Compliance apply to my industry?

Let’s begin with a working definition of PCI compliance. What does it mean and who needs to worry about it? PCI stands for Payment Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard which aims to protect data and reduce credit card fraud. Credit card brands mandate the PCI Standard and the Payment Card Industry Security Standards Council administers it. How do they validate compliance?

Here are the options:

• An external Qualified Security Assessor (QSA)

• A firm-specific Internal Security Assessor that creates a Report on Compliance for organizations handling large volumes of transactions

• Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

Does your business accept credit card transactions over the web? Over the phone? Is e-commerce part of your future? If you accept or process payment cards, the PCI Data Security Standards apply to you.

Maintaining PCI Compliance with over the phone transactions.

We hear this common question from our clients: “Can I still ensure security if I take credit card payments over the phone?” As discussed in the introduction, card not present transactions pose a serious risk for businesses and individuals. What does it take to ensure your business can still offer over the phone payments?

In this article, you can read about the PCI Security Standards Council’s payment security advice for merchants and service providers who accept and/or process payment card data over the telephone.

PCI Security Standards Council recommends the following for a strong data security foundation:

• People: Hire people you can trust. Work with partners and vendors who understand payment data security.

• Process: Follow good data security policies and practices. Make it a priority in training and in daily operations.

• Technology: Use the right technology and implement it correctly.

A leader in payment security, Ivrnet is a Level 1 PCI DSS certified Service Provider.

Visit to learn more, watch a webinar or request a demo of our PCI compliant solutions for online and over the phone credit card payments.

We use cookies to ensure that we give you the best experience on our website. You can consent to the use of such technologies by closing this notice or by continuing to browse otherwise.