Point-to-point encryption (P2PE) vs. DTMF masking for contact centre PCI DSS compliance – What are the Pros and Cons of each?
Contact centre managers face an array of technical solutions to meet the requirements of PCI DSS and the necessary protection of payment card data for their customers. Two solutions often considered by merchants are point-to-point encryption (P2PE) and DTMF masking. In this article Danny Cresswell of Syntec will consider the pros and cons of each option.
Point-to-point encryption (P2PE) encrypts card data at the pin pad before it enters your data network, thus keeping sensitive cardholder data away from your systems and network.
DMTF masking allows your contact centre to take card payments securely, using dual-tone multi-frequency (DTMF) capture technology, with the customer using their telephone keypad to provide their payment card data, while the agent and customer remain in conversation. For those merchants using tokenization, the payment data is immediately exchanged for a token and never enters your network or contact centre environment.
How does P2PE work?
P2PE is a security standard that requires credit card information to be encrypted instantly and then securely transferred directly to the payment processor before it can be decrypted and processed.
This solution requires a point of interaction (POI) device that immediately encrypts the card information using a predefined encryption key provided by the merchant’s payment service provider (PSP). A frontend application pulls the encrypted data from the POI and passes this to a ‘back office’ system which then sends a transaction to your bank and in the case of tokenization, receives a token in return. The token is then stored rather than the PAN.
P2PE reduces the risk of payment card fraud by instantly encrypting confidential cardholder data when entered in to the pin pad. This removes the call centre’s computers, the network infrastructure, and the payment processing application from PCI DSS scope. However, it leaves the call centre agent and telephony environment, (including call recordings), in-scope. It also means that a physical POI device is required at every contact centre workstation, so the cost of this option can be significant.
How DTMF masking works
DTMF is an in-band telecommunication signalling system using the voice-frequency band over telephone lines.
In DTMF masking, rather than someone verbally reading their PAN and CV2 numbers to a call centre agent, it is typed into a telephone keypad by the customer (although a voice response option can be offered in cases where a customer is unable to type their card details). Each touch of the keypad generates a corresponding signal which is sent down the telephone line. Before the signal reaches the call centre environment, it is intercepted by CardEasy which converts it to a data packet. The agent is presented with a real-time display during the PAN/CV2 capture process with CardEasy automatically masking digits so that are not visible to the agent.
Once the customer has input the numbers and CardEasy has verified that the information is correct, it seamlessly passes the transaction data through to the payment service provider (PSP) for processing, by-passing the call centre environment. Payment card data does not therefore enter the call centre environment at any point during the transaction.
DTMF masking significantly reduces the risk of payment card fraud since payment card data is no longer being stored, transmitted or processed within the contact centre environment. Unlike P2PE, DTMF masking also removes the contact centre agent and the voice network infrastructure, including call recordings, from PCI DSS scope. With DTMF masking the contact centre computers, hard/soft phones, the voice network infrastructure, the data network infrastructure, the payment processing application, and the physical security at the contact centre are all removed from PCI DSS scope. By not having the contact centre agent exposed to sensitive payment data, the need for restrictive PCI DSS controls at the contact centre is removed along with associated and significant cost.
The long-term cost of DTMF masking is lower and the time to implement is quicker when compared to P2PE. Contact centre expansions do not require additional cost unless the voice infrastructure capacity increases, plus the PCI DSS controls are significantly reduced, saving both time and recurring cost (such as the costs of annual PCI audits, which are substantial). Using DTMF masking rather than P2PE means that the call centre environment no longer stores, transmits, or processes cardholder data, which almost completely de-scopes the call centre environment from PCI DSS.
As our own research shows, industry experts agree that de-scoping the call centre environment from PCI DSS is the best strategy. Consumers value the security of their data very highly and are adapting their behaviour accordingly, increasingly making purchase decisions based on factors such as data and payment card security. Offering the ability to pay by phone without having to read out card details to a contact centre agent shows that a company is taking payment security seriously, which consumers now say is of huge importance to them.
Danny Cresswell is Head of Global Sales at Syntec
Syntec has developed over two decades into a leading managed service provider for contact centres internationally, with a proprietary suite of multi-tenanted, hosted managed services driven by client needs.