DTMF masking is the new PCI DSS gold standard for protecting telephone-based payment card data, reveals Syntec’s research
Supported by the global PCI Security Standards Council’s new guidelines
Syntec’s latest update of its PCI DSS* tracking research, conducted since 2012, shows that
– consumers are increasingly concerned about payment card data security when paying over the phone
– expert advice is also moving away from recommending the use of mitigating controls such as ‘pause and resume’ (stop/start call recordings) towards the emerging new standard of DTMF masking or ‘keypad payment by phone’.
Syntec surveyed 750 consumers in the UK, USA and Australia in 2018 and conducted in depth interviews with a variety of card payment experts including from client companies, payment services providers, consultants and QSAs. The survey reveals a significant rise in consumer concern about payment security in contact centres. 63% of consumers now say that there have been times when they have not bought something due to concern about payment card security when paying over the phone, a rise of almost 20% since 2016. 31% of consumers now say that they never make payments by phone, up from 19% in 2016.
Consumers clearly feel that the responsibility for ensuring that their details are secure lies with contact centre managers. When asked whether call centre managers should do more to prevent credit and debit card fraud, 80% agreed. The same number feel that organisations should not be allowed to keep payment card details in their databases.
So what is consumers’ preferred option for how organisations should best avoid fraud in contact centres? The most popular answer is DTMF masking **. When asked how organisations should best avoid fraud in contact centres, “using secure technology to hide the card details from both the call centre agent and the call recording” was the most popular response by a significant margin, selected by 42% of respondents.
This aligns with the views of the payment security experts and client organisations. interviewed as part of this research. All the client organisations interviewed were looking for technical solutions to help them de-scope from PCI DSS. The view amongst the PCI assessors and security experts interviewed is that whilst mitigating controls can be useful in reducing risk, the best option for organisations is to de-scope entirely by creating a ‘no card data environment’ – and that DTMF masking (or DTMF clamping) is a very successful way of achieving this. Syntec’s updated research suggests that client organisations are now catching up with this view too.
John Greenwood, Executive Director, Compliance 3 and one of the industry experts interviewed says,
“If [an organisation’s] strategy is designed to reduce the overall time, cost and effort in maintaining PCI DSS compliance, then that strategy should be to avoid establishing a card data environment in the first place.”
The consensus is that call centres should no longer ask consumers to read their card numbers out, but to enter them on the keypad of their own phone, to be for transmitted by the DTMF touchtones (the same way as phone numbers are dialled).
Kevin Dowd, ex- Chairman of the CNS Group, said,
“Reading your card numbers out is not an efficient way of doing things, nor is it secure.”
“In almost all instances, there is absolutely no need for a company to even see credit card data that’s going to bring them into PCI scope. DTMF is the solution for telephone payments. If I were running a call centre that’s how I would do it.”
The PCI Security Standards Council has just issued new guidelines for PCI DSS compliance in contact centres entitled ‘Protecting Telephone-Based Payment Card Data’, updating them for the first time since 2011. DTMF masking is highlighted in these new guidelines too:
“A properly designed and deployed DTMF masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope”.
Colin Westlake, Syntec’s Managing Director commented
“DTMF technology such as our patented CardEasy ‘keypad payment by phone’ system has now come of age both for attended payments on the phone with call centre agents and unattended customer self-service payments using IVR, as well as keeping card data out of call recordings and de-scoping the contact centre environment from PCI DSS.
As the contact centre is a prime target for hackers and data breaches, it’s good to see this endorsement of DTMF masking in this latest Syntec international research survey as well as the new PCI SSC guidelines”.
The free Syntec research White Paper with this year’s survey results also includes further tips and recommendations for Contact Centre leaders and can be downloaded by Clicking Here
The PCI SSC guidance for protecting telephone-based card data is available by Clicking Here
Founded in 1998, Syntec is an independent UK network operator providing a range of managed services to contact centres across a variety of sectors in the UK and worldwide. Syntec is a PCI DSS level 1 Visa Merchant Agent & Mastercard Service Provider and participating organization of the global PCI Security Standards Council (PCI SSC).
*PCI DSS = Payment Card Industry Data Security Standards (regulations)
** DTMF = Dual Tone Multi-Frequency (touchtones);
‘Masking’ or ‘Clamping’ DTMF = suppression of tones so card numbers can’t be deciphered