Excellent question.

Not just phone orders either. I've had customers wanting to send me their CC number by email as well.

I've only done this once. Customer was insistent/risk of losing fairly large sale, etc... I was uncomfortable with it then and I'm uncomfortable with the idea now.

I have numerous payment methods on all of my sites. There is never any reason for me to handle card numbers personally. My philosophy has always been to direct them to proper payment procedure onsite (except in that one case).

I don't want to be on the list of suspects if their identity gets stolen and CC gets misused.

Locking order info in a cabinet only accessible to qualified individuals is PCI compliant, I think.

Locking order info in a cabinet only accessible to qualified individuals is PCI compliant, I think.

I think you are correct.

I'm not an e-tailer but I have clients that are. What I have done in the past is create a simple form behind a secure login that they can go to. It is tied to the gateway just like the online order form but it allows them to enter product id/sku on the fly without a bunch of "add to cart" logic.

Staff member gets a call for a phone order, they login, fill out the form, enter the CC info and submit and it is treated as any other order from then on, but it is flagged in the DB as being a phone in and it is good to record which employee logged in and did the order.

You can also ask your gateway, I know some have a Phone order form that you can login and submit.