Covid-19: We want to keep you updated on our approach during these difficult times. Read more

 

alt

Customer Services

Monday - Sunday

24 hours a day

0345 850 0195

For technical and terminal query: choose option 1

alt

 

You can find more information and guides in our Customer Centre.

User Guides

 

We've prepared multiple videos that will make using your card machine even easier

TV Tutorials

 

If you require any additional consumables (e.g. paper rolls) you can order them here Order Here

Request a callback

*Required fields

Are you an existing customer?

Your privacy is important to us. By clicking 'Submit your request' you agree to our Terms and that you have read our Cookie Policy.

alt

Thank you for your submission!

Thank you for getting in touch. We will be in contact with you within 48 hours.To go back to our website, please click here.

Close

alt

Customer Services

Monday - Sunday

24 hours a day

0345 850 0195

For technical and terminal query: choose option 1

alt

 

You can find more information and guides in our Customer Centre.

User Guides

 

We've prepared multiple videos that will make using your card machine even easier

TV Tutorials

 

If you require any additional consumables (e.g. paper rolls) you can order them here Order Here

alt

Customer Services

Monday - Sunday

24 hours a day

0345 850 0195

For technical and terminal query: choose option 1

alt

 

You can find more information and guides in our Customer Centre.

User Guides

 

We've prepared multiple videos that will make using your card machine even easier

TV Tutorials

 

If you require any additional consumables (e.g. paper rolls) you can order them here Order Here

Covid-19: here to help

We are committed to supporting you and your business through these unprecedented times.

In this area, you’ll find a range of advice, offers and practical tips to help as we face this together.

  • PCI DSS compliance is not our primary concern… the primary concern is that you can continue to operate your business taking payments as required.

    This guidance is to help you do that as securely as you can, but be aware that not all the following is in keeping with PCI DSS compliance requirements. These are interim measures in the current extraordinary circumstances. Therefore, the guidance is temporary but we expect you to achieve full PCI DSS compliance as soon as is practical for your business to do so.

    I need to be able to take payments from home over the phone. How can I do this securely?

    There are three aspects to doing this securely – 'People', 'Process' and 'Technology'. Let’s talk you through them, one by one.

    People – if you are sharing space with others in your household when taking payments over the phone, consider the following:

    • Avoid repeating your customer’s personal details, including card details, back to the caller when somebody can overhear your call.  
    • If your call can be overheard, make sure you have told all others in your household that they must not write down or do anything else with the details they may hear.
    • If your customer’s personal details, including card details, are written or printed on paper, make sure you have told all others in your household that they must not remove, make copies of or do anything else with that information.

    Process – considerations to reduce the amount of cardholder data in your home environment:

    • Process the payment immediately while on the phone with your customer. This will avoid the need for you to write down your customer’s card details.
    • If writing down the card details is unavoidable, make sure you redact (e.g. with black marker pen) or shred/destroy the paper on which the card security code is written. You must not keep a copy of the card security code after you’ve processed the payment.
    • Keep any papers, order forms, receipts, records, etc that show the full card number away from anyone in the household who has no need to see that information. Put the papers away when you aren’t present, preferably locked away if this is possible.
    • If you don’t have a business reason to retain papers, order forms, receipts, records, etc that show the full card number, make sure you:
      • Securely dispose of the information as soon as you can. For example, cut up, shred or otherwise destroy the papers so the information cannot be recovered and misused.
      • If you can’t dispose of the papers in their entirety, for example, because they are your order records, redact (e.g. with black marker pen) the long card number so at most only the first six and last four digits can be read.
    • Do not accept your customer’s card data via email or other messaging service or chat app:
      • Take the card details over the phone or, if the customer is able to pay online, talk to Elavon on 0808 196 192 about using our Pay By Link solution to send your customer a link to a secure payment portal to make their payment.
      • If you inadvertently receive card data via email, remove it and let the sender know your preferred method to receive card details, i.e. via phone or mail.
    • Avoid creating any electronic records or copies of your customer’s payment card data.

    Technology – options to reduce the amount of cardholder data at home:


    • Don’t assume that you can take a card-not-present (CNP) payment through your terminal if you usually process face-to-face payments only. If you think that card-not-present functionality is not available on your terminal, please get in touch with your Elavon contact to have this enabled.

      If your terminal needs to connect to your home network to communicate (rather than to your phone line or to a mobile network) then you need to make sure that network is secure.

      If it is a wireless network:

      • Make sure the wireless router/access point’s software is up to date. Find out how to do this in the user manual for your router.
      • Check that the wireless router/access point is not still set up with the default admin username and password. Fnd out how to do this in the user manual for your router.
      • Make sure it uses WPA2 encryption.
      • Make sure it is password-protected (requires an access code or password to join the wireless network).
      • Make sure only people you know and trust know the access code to join the wireless network.

      If your payment terminal prints the full card number on your copy of the receipt, and you have no need for that full card number (e.g. you don’t need it to follow-up a chargeback), call your terminal provider to ask for the long card number (PAN) on your copy of the receipt to be masked (e.g. showing only the last 4 digits of the card number).

      Make sure only you and other people that need to use the terminal to take a payment have access to the device.

      Put the terminal away when you aren’t present, preferably locked away.

    • EPG Virtual Terminal is a browser-based secure card-not-present payment portal accessible from any internet-connected device.  To secure payment card details taken over the phone and entered into the Virtual Terminal, check the following on the PC or mobile device used to access the EPG Virtual Terminal web page:

      • Check the device is up to date with all the latest security updates and patches installed (for example, for a Windows 10 PC go to: Windows Settings, Update & Security, Check for Updates).
      • Make sure the device has anti-virus or anti-malware software installed. If so, is it running? Is real-time protection enabled, and is it up to date? Check the software’s dashboard or settings.
      • If possible, and if not already installed, install endpoint protection software as that offers many more layers of protection from malicious software, malicious websites and attackers than traditional anti-virus software.
      • Make sure a login is required to access the device, e.g. a password, a PIN or a fingerprint is needed to gain access.
      • Make sure that the screen locks automatically (requiring the user to login again), if the device is unattended and not in use.

      Avoid letting anyone else in the household use the PC or mobile device on which you are running your business and taking payments.

      The network to which your PC or mobile device needs to connect, in order to be able to browse EPG Virtual Terminal, must be secure.

      If it is a wireless network:

      • Make sure the wireless router/access point’s software is up to date. Find out how to do this in the user manual for your router.
      • Check that the wireless router/access point’s is not still set up with the default admin username and password. Fnd out how to do this in the user manual for your router.
      • Make sure it uses WPA2 encryption.
      • Make sure it is password-protected (requires an access code or password to join the wireless network).
      • Make sure only people you know and trust know the access code to join the wireless network.

      If it is hard-wired, e.g. ethernet enabled:

      • Plug the terminal directly into your broadband router.
      • Make sure the router/firewall software is up to date. Find out how to do this in the user manual.
      • Check that the router/access firewall is not still set up with the default admin username and password. Find out how to do this in the user manual.

      Your home network needs to be protected by a firewall. This is usually the router provided by your internet service provider, such as the BT Home Hub, Sky Hub or Virgin Media Super Hub. The firewall acts as a barrier to keep traffic out of your network and systems that you don't want and didn't authorise.

      Firewall rules can seem complex, but configuring them properly is vital to security. If you do not understand how to properly configure your firewall, it is wise to seek help from your internet service provider.

      • If your customer has phoned you and is able to pay online, you could use our Pay By Link solution to send your customer a link to a secure payment portal to make their payment once you’ve taken their order.
      • Using Pay By Link can greatly reduce your risk of card-not-present fraud. It is as secure as Chip and PIN technology.
    • Elavon’s PCI DSS compliant MobileMerchant includes the ability to process card not-present (CNP) transactions via the MobileMerchant portal (https://mobilemerchant.elavon.com). The 'Terminal' tab allows you to process CNP transactions. If you do not see the 'Terminal' tab, please contact Elavon customer services team who will be able to enable this. In addition:

      • Check the device is up to date with all the latest security updates and patches installed (for example, for a Windows 10 PC go to: Windows Settings, Update & Security, Check for Updates).
      • Make sure the device has anti-virus or anti-malware software installed. If so, is it running? Is real-time protection enabled, and is it up to date? Check the software’s dashboard or settings.
      • If possible, and if not already installed, install endpoint protection software as that offers many more layers of protection from malicious software, malicious websites and attackers than traditional anti-virus software.
      • Make sure a login is required to access the device, e.g. a password, a PIN or a fingerprint is needed to gain access.
      • Make sure that the screen locks automatically (requiring the user to login again), if the device is unattended and not in use.

    FAQs

    This may depend on your company’s policy for using a work device at home.

    • This may depend on your company’s policy for using a personal device for work purposes and would be subject to the above guidance.

    • This may depend on your company’s policy for using a work device at home.

    • This would be subject to the above guidance.

    • This would be subject to the above guidance and the company’s security policy for data protection.

    • We, as Elavon, are subject to the requirements of the card brands. Therefore, in the event of a data breach during this time of crisis, forensic investigation may be required and penalties may be levied dependent of the card schemes position during this period.

    • If you are now taking payments in a different environment with the same equipment, the PCI requirements that applied in the old environment will still apply in the new environment. 

      If you are now taking payments in a different way, for example using EPG Virtual Terminal and typing card data into a PC instead of taking a face-to-face payment with a Chip and PIN terminal, then additional PCI requirements will apply. This guide outlines the self-assessment questionnaires that apply to different payment processing methods. It will also help you find out the PCI DSS requirements that apply to you, if you have changed the circumstances under which you take payments. 

    • Yes, but it will depend on your company’s policy for accessing business information remotely.

    • Technically yes. From a PCI DSS point of view, the IP telephony would be transmitting card data that would be in scope of PCI DSS and need to be secured effectively. Please see this guidance on telephone based payments including IP telephony.

      Mobile phones or standard landlines would be more secure options. If you need to use telephony that transmits over the internet, i.e. Skype or WhatsApp, you should check with the provider that the calls are encrypted and your transaction data is not unduly exposed.  

      If the telephony you are using features call recording, don’t enable this function when you are taking a card payment.

    • This would be subject to the above guidance.

    • The PCI Security Standards Council has provided guidance for assessors on the expectations for completing assessments remotely during the crisis to enable you to continue with you compliance validations as best you can. Please see the PCI Security Council’s blog on the topic.

  • Before Covid-19, cybersecurity experts would see attempted malware attacks on our data maybe twenty or thirty times a day. Since Covid-19, that has risen – and sharply. In the space of just seven hours, one firm – ESET – recorded 2,500 in under seven hours, as reported in Forbes. Cybercriminals, clearly more used to working from home than the majority of us, are keen to make the most of the opportunities our new working environments present. So Candice Pressinger, Elavon Europe’s Director of Customer Data Security, has some tips on how to keep your valuable data safe when operating your business outside your usual workplace:

    • Data leakage and data loss: The risk isn’t just processing data right now – but also in the future. When this crisis is over, will you recall all the places you’ve saved data?
    • If you’re working away from your usual workplace, it’s more important than ever to make regular backups.
    • It’s vital those back-ups are encrypted and stored somewhere requiring two-factor authentication (2FA) to access.
    • Cloud storage or centralised storage that’s remotely accessible is preferable, such as Office 365 SharePoint.
    • DropBox or GoogleDocs are options, but access controls should be applied for greatest protection. 
    • Beware of phishing attacks: Fraudsters are making the most of people’s fears and concerns right now and ramping up the number of phishing emails – don’t click! Some of these include messages pretending to be from the World Health Organization with life-saving advice or the government offering tax refunds during the pandemic.
    • Insecure home WiFi networks: Bet when you installed your home WiFi, you weren’t expecting to run your business using it? So make sure you are using WPA2 and that your networks are password-protected. Make sure you’re not still set-up with the default admin username and password! Even better would be to use a virtual private network (VPN) where you can to connect between your home and business.
    • Risks to business devices: Our mobile phones, laptops, tablets and the like are all potential weak spots in our security armour – ripe for unauthorised use or misuse. So make sure they are password protected, and, as ever, don’t share the password with anyone.
    • Software and hardware vulnerabilities: Malwares and online threats are constantly evolving and growing ever more sophisticated, but so too is the protection against them. However, it only works if you keep your software and hardware updated. So make sure you’re allowing for security updates – OS patches/updates, anti-virus updates, updates to software. 

    Our working – and home – environment is changing faster than ever before, and you are not alone in facing that. We’re here if you want advice. Email me at data-security@elavon.com or visit our dedicated pages at Elavon.co.uk/security

We're here to help

Considering a change to how you operate your business? We have solutions and offers to help you.

Customer offers

User Guides

Elavon Connect Portal icon

Elavon Connect Portal

Get quick and easy online access to statements, reports, account management tools, product alerts and more.

User Guides icon

User Guides

Step-by-step instructions on how to use specific functionality.

TV Tutorials icon

Elavon TV Tutorials

View our handy videos on how to fix terminal issues, use our online reporting tool and learn more about our solutions to help you run your business.

Useful Links

Protect yourself, your business and your loved ones: Below is a selection of trustworthy sources of reliable, up-to-date information about Covid-19 (Coronavirus) in the UK.

public sector icon

UK Government

Click here

heart icon

National Health Service (NHS)

Click here

Business/Employers

Confederation of British Industry (CBI)

Click here

one-stop shop icon

Federation of Small Businesses (FSB)

Click here