For the service industry and non-profits, taking cards over the phone and email seems convenient for both parties. But this method of payment can also leave your customers’ card details vulnerable and create a security risk.
So, to avoid such a compliance headache, it is easier to take payments remotely in a secure way/ The first step is to not store the card details in emails, spreadsheets or notes across your website database.
Can I accept credit cards by phone or email securely?
Yes, you can accept credit card payments by phone or email securely by using tools designed for card-not-present payments. The safest approach is to route card data directly into a PCI-compliant payment environment, so your staff never “stores” card details.
Safe options to accept credit card details
1) Use a virtual terminal for phone payments
A virtual terminal is a secure web portal from your payment processor where you key in card details while on the call. No writing it down. No saving it in a document. Just enter it, process it, and send a receipt.
Quick safety checklist:
• Give each staff member their own login (no shared accounts)
• Turn on multi-factor authentication
• Limit who can issue refunds or export reports
Most payment processors will provide tokenization and basic fraud prevention tools to protect customer data.
2) Use pay-by-link for email requests
Email isn’t a secure place to collect card numbers. Instead, email a secure payment link (or invoice link) that takes the donor/client to a hosted checkout page to enter their card details themselves. You still get paid, but you never touch the card number, and nothing sensitive sits in your inbox.
Payment processors such as RapidCents provide 3D secure and advanced fraud protection tools for payments through links.
3) Use WordPress forms that don’t store card data
If you accept donations or payments on WordPress, use a solution that passes card data directly to the processor (often via hosted checkout or secure embedded fields). Avoid setups where card details are captured into WordPress, emailed to admins, or stored in your site’s database.
What not to do when accepting cards on phone or email
• Don’t ask for card number or CVV by email or DM
• Don’t accept card details via voicemail
• Don’t paste card data into a CRM note “temporarily”
• Don’t record calls where card details are spoken (unless you have proper pause/redaction tools)
A simple script for staff
Keep your staff updated about all the methods and approaches for customers trying to provide their card details via call or email.
Keep a simple script to handle such situations, such as:
“Please don’t email card information. For your security, here’s a secure payment link you can use anytime.”
For those wishing to pay via phone:
“Sure, let’s do it now. I’ll enter your payment securely while we’re on the call, and you’ll receive a receipt immediately.”
This also helps with disputes as the business will have clear receipts, consistent descriptors, and logs, making chargebacks easier to resolve.
Bottom line
Remote payments don’t have to be risky. If you use a virtual terminal for phone payments and pay-by-link for email requests, and keep card numbers out of inboxes, documents, and WordPress storage, you can accept payments conveniently while protecting your donors, clients, and organization.
