What is DTMF masking and how can it help you ensure PCI DSS compliance in your contact centre?
Danny Cresswell of CardEasy explains why DTMF masking is essential for PCI DSS compliance in all contact centres.
DTMF masking (also known as DTMF suppression or DTMF clamping) works and how a secure payment solution such as CardEasy that uses DTMF masking is the most secure and PCI compliant way to take payments over the telephone.
What are DTMF tones?
DTMF stands for dual tone multifrequency. Each key on a telephone keypad generates a unique DTMF tone when pressed. These tones are transmitted over the voice channel and equipment at the receiving end then ‘listens’ to the tones and translates them into specific commands such as dialling a particular number. The tones can also be used to control remote equipment, navigate an IVR menu or capture sensitive information such as credit or debit card numbers.
Why do DTMF tones need to be ‘masked’?
DTMF tones enable companies to accept card payments over the telephone without the customer having to read their card details out to a contact centre agent. However, the ‘raw’ DTMF tones are easily recognizable and software (or even an experienced human) can interpret the tones and recognize the numbers, meaning that hackers or unscrupulous contact center agents could decode someone’s sensitive payment card details if they’re being entered via their telephone keypad. The tones could also be captured in a call recording and the payment card details accessed via the recording.
For this reason, when payment card details are captured using DMTF, the tones need to be masked (known as DTMF masking or DTMF suppression) so that they are not included in call recordings and cannot be translated back into numbers by contact center agents or anyone else who might have access to the live call or a recording of the call.
How does DTMF masking improve security?
Suppressing or masking DTMF tones enables customers to use their telephone keypad to enter payment card details securely. The tones that are generated as the customer enters their card details are intercepted and masked. The contact centre agent does not hear the original tones and the tones are not stored in the call recording so cannot then be used to access the customer’s payment card details.
DTMF masking is the recommended approach to protect telephone-based payments as it enables sensitive payment card data to be entirely removed from the contact center environment. The caller’s card details are not accessible to the agent handling the call, nor are they stored in the call recording, making DTMF masking a much more secure option than alternatives such as clean rooms or ‘pausing’ call recording while a payment is made.
How does DTMF masking help you de-scope your contact center from PCI DSS?
Using DTMF masking technology effectively eliminates the need to have PCI DSS controls in place in contact centres because the payment card data is encrypted and sent to the merchant’s payment services provider for payment authorisation without ever entering the contact center environment or systems, thus reducing risk and removing the need for monitoring of agents and also ‘pause & resume’ (stop/start of call recordings) to try and control that risk.
Secure, PCI DSS compliant payment solution for contact centres
Whether your customers choose to pay over the telephone or via a digital channel such as email, SMS or web chat, CardEasy provides a simple, secure and cost effective payment solution that will protect your customers and de-scope your contact center environment from PCI DSS.
Offering seamless integration with your existing telephony and IT infrastructure, CardEasy significantly reduces the risks and costs associated with managing card payment transactions in your contact centres, whilst improving your customer’s experience and trust. CardEasy removes the risk of payment card fraud within your contact centre by preventing your contact centre agents from hearing or seeing payment card data, automatically blocking it from your screen and call recording (without the need for a pause/resume function) and preventing it from entering your contact center systems and networks.
Our patented technology creates a secure payment environment for payments handled over the phone, self-service IVR, email, webchat, SMS, social media or even via video calls.
For additional information on CardEasy view their Company Profile