What are the most common ways to take payments over the phone?

The most common methods for how to take a card payment over the phone are: Virtual terminal Physical terminal Payment links IVR

How to reduce risk in agent-assisted phone payments?

When taking credit card payments over the phone, regulations like PCI DSS help companies reduce risk and stay secure. Here are some tips to stay compliant and keep data safe: Take payments via secure link: Customers can type their card number, and agents don’t need to be exposed to sensitive information. Pause recordings: If you must have customers read card numbers, pause call recordings to prevent payment data from being recorded or stored in audio files. Strict access controls: Limit access to sensitive information to authorized personnel only.

Can businesses legally take credit card payments over the phone?

Yes. It is legal to take card payments over the phone. However, card-not-present transactions may be subject to higher processing fees and still require merchants to follow PCI compliance.

Is it PCI compliant to accept card payments over the phone?

Yes. It is PCI compliant to take card payments over the phone as long as your business follows PCI compliance standards.

How can businesses reduce fraud when taking payments over the phone?

Companies can reduce fraud in payments over the phone through these measures: Secure email and SMS: Use PDCflow secure requests to capture payments. Card Verify and ACH Verify technology: Verify payment data through a payment gateway like PDCflow before processing a payment.

Can you outsource PCI compliance?

Yes, companies can outsource PCI compliance responsibilities as an alternative to managing them in-house. This process typically involves using a payment processor like PDCflow to capture and store payment data on your behalf.

Who is required to do PCI compliance?

PCI compliance is required for all companies that accept, process, or store credit card information. This standard applies to any entity that wishes to provide credit card payment options to its customers.

Do small businesses need to be PCI compliant?

Yes. All companies that accept, process, or store credit card information must maintain a secure environment and meet PCI compliance standards. Businesses are not exempt based on size or transaction volume if they handle credit card data. While small businesses don't need an on-site QSA audit required for Level 1 compliance, they must still perform the Self Assessment Questionnaire and may need quarterly network scans.

What is an Attestation of Compliance?

An Attestation of Compliance (AoC) is a standardized document used to communicate and prove your PCI compliance across all card brands. PDCflow’s PCI attestation is available upon request to any of our customers.

Can businesses store credit card information?

Yes. Businesses can store credit card information for transactions like recurring payments, invoicing, or charging repeat customers without asking for card data every time. Companies that store data must comply with PCI DSS standards.

Is it safe to store cards in a standard database?

No. Organizations should never store raw card numbers in a database, spreadsheet or CRM. Card numbers should be encrypted and tokenized to keep information safe.

How long can I legally keep a customer’s card on file?

PCI rules say you can keep data on file for the “minimum time required for legal, regulatory, or business needs.” Companies can keep data as long as is necessary for recurring billing, future payments, or processing refunds. Certain state laws may require you to delete customer data upon request. Always consult your company’s legal counsel or compliance department to stay informed.

Do I need PCI compliance if I use a payment processor?

Yes. Even when using a Level 1 PCI-compliant payment processor like PDCflow, every company that takes credit cards must still complete a Self-Assessment Questionnaire (SAQ).

What is tokenization and why does it help?

Tokenization replaces a credit card number with a non-sensitive identifier (a token). If a security breach occurs, hackers can’t see real payment details or use a payment token. PDCflow tokenizes payment data to keep payments safe and reduce PCI compliance scope for businesses.

How are PCI DSS goals different from PCI DSS requirements?

PCI DSS goals define the overall security outcomes an organization must achieve. The 12 requirements are the specific, actionable steps used to meet those goals. Solutions like PDCflow help you meet these goals by providing infrastructure to satisfy technical requirements, such as data encryption and storage.

How many PCI DSS compliance levels or groups are there?

There are four merchant levels (Levels 1–4) and two service provider levels (Levels 1–2), determined by annual transaction volume. Level 1 requires the most rigorous validation, including an annual on-site audit, while lower levels typically use Self-Assessment Questionnaires (SAQs).

What is PCI DSS Requirement 6 and how did it change in 2025?

Requirement 6 focuses on developing and maintaining secure systems and software. As of March 31, 2025, several "future-dated" requirements became mandatory, including stricter controls for client-side scripts to prevent web-skimming and more robust vulnerability management that requires addressing all vulnerabilities, not just critical ones.

Do I need Multi-Factor Authentication (MFA) for all employees now?

Yes. Under PCI DSS v4.0.1, MFA is now mandatory for all access to the Cardholder Data Environment (CDE), which includes non-administrative users and all remote access. This requirement became fully enforceable on March 31, 2025. Note: With PDCflow, your company does not manage or access the CDE. We do it for you.

How do the six PCI DSS goals support the 12 requirements?

The six goals provide the strategic framework for the requirements. By following these goals, a business ensures that its 12 technical requirements are satisfied as part of a cohesive security policy.

Is the CCPA the same as the California Consumer Protection Act?

No, while often confused, the correct name is the California Consumer Privacy Act.

What Does the California Consumer Privacy Act Do?

The CCPA creates new consumer rights and imposes obligations on businesses regarding the collection, use, and sharing of personal data. Key consumer rights include the right to limit use, opt out, correct, know, receive equal treatment, and delete information. Businesses must offer: Transparency: Companies must provide clear notice at or before the point of collection about what data is being gathered and for what purpose. Security: Businesses must implement reasonable security practices to protect personal information from unauthorized access or breaches.

Who Does the California Consumer Privacy Act Apply To?

The CCPA applies to for-profit businesses that do business in California and meet at least one of the following three thresholds: annual revenue above $25 million, deal with more than 100,000 households’ data, or derive 50% of revenue from data. Note: The law also applies to entities that control or are controlled by a covered business and share common branding. It generally does not apply to non-profit organizations or government agencies.

Does the CCPA apply to businesses outside of California?

Yes. If you collect or process the data of California residents, the law likely applies to you regardless of where your business is located.

What counts as "Personal Information"?

The CCPA defines it broadly as information that "identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Are my payment details encrypted when I pay through PDCflow?

Yes. Your payment details are encrypted using AES-256 before tokenization.

What compliance standards apply to payment encryption software like PDCflow?

Our platform meets PCI DSS, Nacha, and HIPAA requirements, limiting your compliance scope.

Compliance and Data Security Archives

How To Take Secure Payments Over the Phone Safely Without PCI Compliance Risk

February 20, 2026

Man wearing a headset smiles while working at a computer, with another headset user typing at a laptop in a bright office background.

Summary: Learning how to take credit card payments over the phone is vital for modern businesses. This guide covers steps to take payments over the phone, ensuring your process remains secure, user-friendly, and professional. By following these best practices for card payments over the phone, you can: minimize the risk of fraud reduce chargebacks provide a secure, seamless transaction experience …

Benefits of Outsourcing PCI DSS Compliance Services

February 9, 2026

Summary: There are many benefits of outsourcing PCI DSS compliance services. Most important among them is reducing the costs and effort required to meet security standards. PCI DSS outsourcing lets businesses use a compliant payment processor for tokenization and secure data storage. Replacing sensitive data with codes (tokens) and outsourcing data management protects against hackers and significantly reduces compliance burden. …

Storing Credit Card Information: Risks and Best Practices

February 6, 2026

Summary: Storing credit card information is essential for recurring payments and future invoicing, but it requires strict security to mitigate risks like data breaches. Securely store customer credit card information by using a Level 1 PCI-compliant vendor like PDCflow. Avoid storing sensitive authentication data like CVV codes. To remain PCI compliant when storing customer credit card information, ensure primary account …

6 Main PCI DSS Compliance Goals and What They Mean for Your Business

January 8, 2026

Summary: Understanding the six PCI DSS compliance goals is essential for any business processing credit card data. These PCI DSS compliance goals provide a framework for the 12 specific requirements needed to ensure a secure payment environment. The goals of PCI compliance are: Building secure networks Protecting cardholder data Maintaining vulnerability management programs Implementing strong access control Regularly monitoring networks …

California Consumer Privacy Act Overview

December 31, 2025

California Consumer Privacy Act (CCPA) Overview

Summary: Data protection and privacy is no longer just a luxury; it’s a legal mandate. This California Consumer Privacy Act summary provides a comprehensive overview of the California Consumer Privacy Act (CCPA), covering topics like: “What is the California Consumer Privacy Act?” Why does the CCPA matter to the debt collection industry? How can businesses ensure compliance while protecting consumer …

PCI Compliance for Remote Workers in AR

September 4, 2025

Young woman wearing headphones sits on a couch, speaking to a laptop and holding a pen over an open notebook on the table.

Moving staff outside the controlled environment of a secure office comes with unique challenges and risks. If your Accounts Receivable agents are taking payments from their homes, one of your primary concerns should be maintaining PCI compliance for remote workers. Here are the most common concerns debt collection, medical billing, or accounts receivable companies face when taking payments remotely. Learn …

Payment Encryption and Data Tokenization to Protect Sensitive Payment Data

May 27, 2025

Hands typing on a laptop beside a large shield icon with a keyhole, with the words Data Protection floating over the scene.

Security is an essential part of taking payments. Your payment software should take precautions with the sensitive information they help you manage. Otherwise, they aren’t looking out for you or your consumers. As a leading payment encryption platform, PDCflow delivers end-to-end payment data protection for every transaction. Encryption and data tokenization are essential steps to protect credit card and bank …

What Businesses Ought To Know About Credit Card Tokenization

November 20, 2024

Hands hold a smartphone and card while multiple lock icons float around the device, showing a secure mobile payment concept.

According to Forbes, there were 2,365 cyberattacks in 2023, with 343,338,964 victims. These data security breaches are a big problem for companies and consumers alike. That’s why there are rules, regulations, and best practices centered around protecting customers through credit card tokenization and data encryption. Credit card tokenization and encryption shield essential customer payment information from being exposed. Your payment …

Why Secure Document Sharing is Essential for Compliance

November 14, 2024

Companies with strict compliance needs or those that value privacy should be using secure document sharing for every message they send. After all, failing to protect customer information with secure document sharing practices can: create compliance issues damage your reputation lead to customer loss result in financial penalties Plus, customers expect secure document sharing any time you send contracts, terms …

Are your Recurring ACH Payments Compliant?

November 22, 2023

Many consumers prefer to pay large bills in installments through ACH payments rather than a credit card. Offering this option in your business will decrease consumer complaints and increase your overall receivables. But just as with cards, it’s important to ensure the recurring ACH payments you accept are compliant.Understanding Recurring ACH Payment Compliance Complying with every regulation that applies to …

A Checklist for Recurring Payment Processing Software

October 12, 2023

No matter what business you’re in, taking payments brings more regulations you must follow. For instance, companies that use recurring payment processing services need to maintain Regulation E compliance. But how do you know when Regulation E applies to a transaction within your business? How can your payment processing software help?Recurring EFT Payments and Regulation E What is Regulation E? …

How To Prevent Data Breaches: Three Steps

August 22, 2023

Does your company know how to prevent a data breach? One thing the Equifax and Marriott data breaches (and countless others) have shown is that customer data won’t stay safe if a business isn’t protected. Data breach prevention is an important way to protect your customers and your brand, but it also helps your company remain financially stable. Data breaches …