Cookie Preference Centre

Your Privacy
Strictly Necessary Cookies
Performance Cookies
Functional Cookies
Targeting Cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, your device or used to make the site work as you expect it to. The information does not usually identify you directly, but it can give you a more personalized web experience. You can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, you should know that blocking some types of cookies may impact your experience on the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Cookies used

Performance Cookies

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.

Cookies used

Google Analytics

Functional Cookies

These cookies allow the provision of enhance functionality and personalization, such as videos and live chats. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.

Cookies used




Targeting Cookies

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.

Cookies used


This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties


Here are some suggested Connections for you! - Log in to start networking.

Sefanaia Silimaibau
Supervisor Quality Assurance & Trainer
Heriadhi Waskitho
Quality Auditor
Joel Jesper Alino
Vice President for Business Development
Joseph Cheng
Mezy Fadhila
HSSE Supervisor

Article : PCI DSS Compliance When Recording Calls In Contact Centres

Anyone doing business in what’s known as the call centre or contact centre sector, regardless of their vertical market focus, will be aware of the Payment Card Industry standards. That is: the Payment Card Industry Data Security Standard (PCI DSS); and the associated Payment Application Data Security Standard (PA-DSS).

Furthermore, anyone looking to develop a business application to serve the contact centre market will be aware of the need to comply with the PCI DSS and PA-DSS standards. Specifically, many will be concerned with technology solutions, either from a user point of view, or from the perspective of a vendor or solutions provider.

This application note looks at one form of technology solution to solve the issue of tone elimination in recordings of calls between customers, clients or subscribers and contact centre agents or other staff members.

It is addressed, primarily, at application developers – those developing business focused contact centre applications for both business-to-consumer (B2C) and business-to-business (B2B) deployments.

PCI Standards

The global PCI DSS mandates that any business, of any size, that stores, processes or transmits cardholder data obtained from payment cards, and/or sensitive authentication data (SAD), adheres to its information security best practices. Those are identified in a framework – a minimum set – of 12 specific requirements for protecting cardholder data.

Those requirements are supported by the three-step process of assess, remediate and report, facilitating an ongoing process for continuous compliance. The PCI DSS applies to all entities involved in payment card processing, including merchants, payment card processors, financial institutions, and service providers.


Significantly, the PCI DSS is not designed to supersede local, regional or sector laws, legislation, or other legal and regulatory requirements. On the other hand, its impact may well be reinforced by additional controls and practices, to further mitigate risks.

The Needs of Developers

An application developer, implementing a contact centre platform, will need a technology solution to enable the delivery of the controls and practices necessary to ensure ongoing compliance with the PCI DSS.

An essential technology for developers of contact centre applications is that of media processing for telecommunications; what are often referred to as telephony resources. As many credit card transactions are conducted via telephone, whether through the legacy PSTN or over a next generation, IP-based network, the processing, storage and transmission of cardholder data naturally occurs during telecommunications.

The sections of the PCI DSS relevant to a telephony-based transaction refer to sensitive authentication data (SAD), which includes magnetic-stripe data (or the equivalent on a chip), the 4/3-digit card security code, and personal identification numbers (PINs) or PIN blocks.

Security Requirements

PCI DSS security requirements include the common sense obligation to protect stored cardholder data, by restricting access to system operators that have a business need to know and by restricting physical access to such data. Specific requirements go further in that they require that cardholder data must not be stored after authorisation, even if encrypted. Prior to authorisation, the temporary storage of SAD may be permitted by individual payment brands (e.g., Visa or Mastercard).

The requirements apply to all system components included in or connected to the cardholder data environment (CDE), which spans people, processes and technologies. Those system components include network devices, application servers, and contact centre applications, whether internally provisioned or provided as a service by a third party.

Call Recording

The implications extend to components or devices located within or connected to the CDE, and a classic example of one such device is the call recorder. Those are used to monitor and record conversations between calling (or called, in the case of an outbound dialler application) customers and call centre agents.

The practice of call recording is widespread, not least in the financial services sector, and is governed by other legislation and requirements, such as the Sarbanes-Oxley Act (in the United States), and the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Data Protection and Privacy) Regulations 1999 (in the [still] United Kingdom).

When a call, during which a customer enters h[is/er] PIN using the keypad on a telephone, is recorded, the dual-tone, multi-frequency (DTMF) digital signature that represents the PIN is naturally captured automatically, together with the audio voice signal. That is, unless deliberately, something is done to remove or extract the DTMF digits from the recording.

Tone Elimination

The need to suppress the DTMF in the recording is explicit in the PCI DSS, which requires that cardholder data, and that includes the PIN, must not be stored after authorisation. That means anyone involved in contact centre solutions needs a technology solution that will enable their system to eliminate DTMF tones in recordings, and so comply with the PCI DSS.

Technology Options

In a telecommunications environment, which means any call centre, the technology solution involves telephony resources, which can be implemented in two ways. For those prepared to integrate third party telephony resources into their solutions, typically by means of a vendor API, the result will be a seamless, built-in system option that can be readily activated by the end user organisation. For developers who would rather shy away from such activity, the alternative is to employ an in-line, intermediary device as part of their solution.

A tone elimination (also known as DTMF clamping) feature can be applied to suppress DTMF signals during a call that is being recorded. By installing the gateway in-line, between the contact centre system and a call recorder, DTMF signals can be readily prevented from reaching the recorder.

The gateway’s DTMF clamping feature is a user configurable option that can be applied to suppress tones, in real-time.

Configuration Details

The ‘Minimum duration of tone’ specifies the amount of DTMF tone to be present before it is considered to be DTMF tone and hence eliminated, and by default, that is set to ‘No minimum’. That default value will trigger the gateway into eliminating tones as soon as a sample of audio can be identified as containing tone.

Other valid values will require at least 40 milliseconds or 64 milliseconds of tone before identifying that a sample of incoming audio contains a DTMF tone, and only then excluding the tone from the outgoing audio.

The ‘Call leg’ option should be set according to whether tones are expected to arrive on the incoming or outgoing (from the perspective of the gateway) leg of a call.

If an incoming call is expected to carry DTMF then ‘Incoming call’ should be selected as the call leg on which to eliminate tones. If an outgoing call is expected to carry DTMF then ‘Outgoing call’ should be selected as the call leg on which to eliminate tones.

Tone Elimination

The following figure illustrates the process of elimination of DTMF tones. The upper waveform shows DTMF and audio, whereas the lower waveform contains no DTMF signals.

Application Example
A technology solution can be deployed between a contact centre system and a call recorder as shown in Figure 4 below.

In this case, the system is controlled by the call centre agent who passes the caller to a secure, payment processing sub-system, by means of a hot-key. Whilst the agent is not a party to the call, the caller makes the payment by using the telephone keypad to enter card details. If successful, the caller is informed via the sub-system IVR and the database is updated, before the transaction details are sent to a payment gateway and the call is automatically returned to the agent. The process is effectively the same in an outbound dialler scenario.

The system is secure, because the agent is not exposed to the card details and the card details are not stored. Therefore, the opportunities for fraud are reduced considerably. Furthermore, the agent's session is recorded from start to finish, with no breaks or pauses, and critically, without the DTMF signals representing the caller’s data, which are suppressed by the technology solution.

Such a system is very easy for the agent to understand and helps to reduce the average cost per transaction, in addition to preventing the agent from being exposed to callers’ credit card details.

The technology solution receives inbound SIP or TDM signalled calls from the contact centre system, eliminates the DTMF signals in real-time and makes a corresponding outbound SIP call to the recorder. The RTP audio media reaching the recorder contains no DTMF and so the recording can be stored or archived in full compliance with the PCI DSS.

In this scenario, the technology can be configured for TDM-to-TDM, TDM-to-SIP or SIP-to-SIP calls, with a capacity of up to 4 E1/T1 trunks and 120 SIP calls.


In any contact centre offering payment processing functionality via telephone, whether calls are handled by legacy TDM-based or next generation, SIP-based systems, there will be DTMF digital signatures present in the audio signals received as a result of data input by the caller. Those DTMF signals represent sensitive data, such as a customer’s PIN.

When calls are recorded, for whatever purposes, by the contact centre, in order to protect customer data and comply with the PCI DSS, those DTMF signals must be excluded from all call recordings.

Unless such a capability is built in to the contact centre’s payment processing system, an intermediate device will be needed to perform that function i.e., suppress or eliminate the DTMF signals so that they are not present in stored recordings.

Clearly, the tone elimination feature means it can be used as a stand-alone, in-line, intermediary device for eliminating the DTMF tones used to convey cardholder data, including PINs.

The solution provider's tone elimination or DTMF clamping feature will suppress, in real-time, any DTMF signals in the audio of calls fed to a recording device. By installing the gateway in-line, between the transaction processing system and the call recorder, DTMF signals can be prevented from reaching the recorder.

With such a ready made, off-the-shelf solution, the contact centre manager can gain peace of mind, secure in the knowledge that customer data is protected and PCI DSS compliance is assured.

About Ian Colville:
Ian Colville is a product manager at Aculab and his role includes support for the company’s global sales force. Ian has spoken at a variety of customer seminars on various subjects since joining the company in 2000 and has contributed technical documentation, including product literature and several published articles. He has broad industry knowledge gained during a number of years employed in a variety of management roles by a major telecommunications manufacturer.

About Aculab:
Company LogoAculab is a company that offers deployment proven technology for any telecoms related application, with capabilities particularly suited to contact centre deployments. Its enabling technology serves the evolving needs of automated and interactive systems, whether on-premise, data centre hosted, or cloud-based. Over 1000 customers in more than 80 countries worldwide, including developers, integrators, and solutions and service providers, have adopted Aculab’s technology for a wide variety of business critical services and solutions, including high performance inbound/outbound contact centre applications, speech enabled IVR and self-service systems, and hosted or cloud-based services. Aculab offers development APIs for voice, data, fax and SMS, on hardware, software and cloud-based platforms, giving a choice between capital investment and cost-effective, ‘pay as you go’ alternatives.
  Company Blog   Company Facebook   Company Twitter   Company YouTube   Company LinkedIn   Company Profile Page

Today's Tip of the Day - Have Some Fun

Read today's tip or listen to it on podcast.

Published: Monday, December 29, 2014

Printer Friendly Version Printer friendly version

2024 Buyers Guide Automated Call Distributors

Premium Listing
Call Center Studio

Call Center Studio
Call Center Studio is the world’s first call center built on Google and is one of the most secure and stable systems with some of the industry’s best reporting. It is one of the most full-featured enterprise grade systems (with the most calling features, one of the best call distribution, outbound dialing features and integrations—including IVR, AI Speech Recognition, blended inbound/outbound calling and includes Google’s new Dialogflow and Speech API. Call Center Studio is the absolute easiest to use (with a 10 minute setup), and is the price performance leader with lower equipment cost and less setup time.


About us - in 60 seconds!

Submit Event

Upcoming Events

The 19th World Final Annual Best Practices Conferences are here! Meeting Point for the World's Best Contact Center & CX Companies Read More...

Newsletter Registration

Please check to agree to be placed on the eNewsletter mailing list.
both ids empty
session userid =
session UserTempID =
session adminlevel =
session blnTempHelpChatShow =
session cookie set = True
session page-view-total = 1
session page-view-total = 1
applicaiton blnAwardsClosed =
session blnCompletedAwardInterestPopup =
session blnCheckNewsletterInterestPopup =
session blnCompletedNewsletterInterestPopup =