Securing Payments Taken Over the Phone
10th July 2025
For many businesses, taking card payments over the phone is an essential part of operations. It's convenient, fast, and enables seamless transactions. However, as financial fraud continues to rise, regulators have tightened security requirements, making compliance more complex for companies of all sizes.
While some businesses view new regulations as an unnecessary burden, the scale of financial fraud tells a different story. Globally, card fraud exceeded £10 billion annually, with UK businesses facing an average of 633 attempted network breaches per day in 2024. Large corporations, including BA, FIFA, Facebook, and Uber, have experienced high-profile breaches. Equifax, one of the most notorious cases, was fined £500,000, but the true cost of the breach soared to £3.5 billion in damages.
Smaller businesses, unfortunately, are even more vulnerable. 61% of breach victims are small to medium-sized enterprises (SMEs), a number rising each year as cybercriminals increasingly target less secure networks. Worse still, 60% of small businesses do not survive beyond six months after a cyberattack. The financial burden can be crushing, for example, a
restaurant suffered a card payment breach, incurring £21,000 in audit expenses and an additional £66,000 in fines from credit card companies.
Companies handling card payments must adhere to four major compliance requirements in the UK:
- Payment Card Industry Data Security Standard (PCI DSS 4.0) – Enforced from March 31st, 2025, requiring stricter security measures.
- General Data Protection Regulation (GDPR) & Data Protection Act – Holds business owners personally liable for data breaches.
- Cyber Insurance Policies – Many insurers now demand PCI DSS compliance as a condition for coverage.
- Acquiring Bank Contracts – Businesses must comply with PCI DSS under their merchant agreements.
Despite these clear legal obligations, many companies remain unaware of the risks or operate under common misconceptions, such as:
- We don’t record calls, so we’re compliant. Not true – avoiding call recordings addresses only two out of 350 security requirements.
- We only take a few payments. Even a single transaction requires compliance.
- We manually enter card details into a secure terminal. While the terminal may be PCI compliant, your business may not be, leaving sensitive customer data exposed. Businesses across various industries have fallen victim to breaches, including travel agencies, dental practices, and leisure venues, collectively incurring £105,000 in penalties and remediation costs.
As security standards evolve, businesses must implement smarter solutions to reduce their risk. Descoping – removing internal systems, staff, and IT infrastructure from PCI DSS scope – is increasingly seen as the most viable strategy for SMEs.
With PCI DSS 4.0 now in force, organisations must act to safeguard their financial and reputational stability. Understanding and implementing the right security measures today can mean the difference between survival and devastation tomorrow. Connexis have partnered with PayGuard to provide secure customer payment data and
maintain compliance, across our full range of telephony solutions. PayGuard® is a secure, PCI DSS Level 1 compliant payment platform, perfect for small and medium sized businesses that need to take payments securely.
