Article : Preventing Dual-Tone Multi-Frequency (DTMF) Bleed for PCI DSS Compliance
No matter what industry you operate in, if your call or contact center accepts payments over the phone, odds are that data security is one of your highest priorities. Protecting payment card data and other sensitive information is not only essential to maintaining customer trust and protecting the business from fraudsters; it is also required by a number of different legal regulations and industry standards – from the EU’s General Data Protection Regulation (GDPR) to the Payment Card Industry’s Data Security Standard (PCI DSS) and more. Contact center professionals may already be familiar with solutions like Dual-Tone Multi-Frequency (DTMF) masking to help protect telephone-based payments and meet compliance with these regulations, but what many do not realize is that not all DTMF masking implementations are fool-proof. In fact, some forms of DTMF masking can include technical risks that must be mitigated in order to ensure you’re adequately protecting card data and maintaining PCI DSS compliance.
Late last year, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly-revised Guidance for Protecting Telephone-based Payment Card Data. In the updated guidance, the Council highlights DTMF masking as a viable method for descoping the contact center and its data from PCI DSS compliance. However, it also raised the issue of a potential risk associated with this technology: DTMF Bleed. Before we dive deeper into what DTMF Bleed is and how you can prevent it, let’s take a closer look at DTMF masking and how it works:
What is DTMF masking?
A DTMF masking solution enables contact centers to securely accept payments over the phone. Rather than reading their payment card details aloud to a customer service representative (CSR), the caller can simply input their card numbers themselves, by using their telephone’s touchtone keypad. DTMF masking replaces the keypad tones with a flat tone, which ensures that the card numbers are not heard by the CSR or captured on call recordings. Throughout the transaction, the CSR is able to remain in full voice communication with the customer in order to answer any questions that may arise.
Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, bypassing the CSR and their desktop. This provides a way for companies to process sensitive information without it being handled directly by the contact center – thereby keeping the contact center and its IT and telephony infrastructure out of the scope of compliance for PCI DSS.
Sponsor message - content continues below this message
Employee Engagement Awards NOW OPEN!
Enter your center,and compete for this prestigious award to attract new staff and show investors and customers you are #1 in your nation!!
Content continues ….
How Proper DTMF Masking Helps PCI DSS Compliance
One of the biggest benefits of DTMF masking is that it allows a contact center to record phone calls without worrying about capturing sensitive cardholder data on the recording. Organizations in highly regulated industries such as financial services are often mandated to record all telephone conversations that involve financial transactions with customers. Even organizations in other industries may record customer calls for a variety of reasons such as for training, quality control, legal purposes, or even to measure customer sentiment. These organization’s contact centers are then faced with the challenge of how to record calls while still complying with PCI DSS, which stipulates that sensitive authentication data such as three or four-digit security codes (CID, CVC2, CVV2 or CAV2) must never be recorded or stored.
Some organizations implement Pause-and-Resume (or Stop/Start) recording systems, as they appear to offer a quick fix by enabling the call recording to be either manually or automatically paused at the point of payment and resumed once payment is complete. But Pause-and-Resume only prevents the card data from being recorded and stored when used properly 100 percent of the time. In reality, this method can often be prone to errors and exposes organizations to considerable risk. CSRs may forget to pause the recording before the customer reads their payment card numbers or may forget to resume the call once the customer is done. Automated Pause-and-Resume solutions, as well, are far from perfect and can frequently make mistakes. Moreover, with Pause-and-Resume solutions, though the call recording is paused, the CSR can still hear the customer’s card details being relayed verbally and could choose to write them down, for fraudulent use later.
DTMF masking eliminates the need for Pause-and-Resume by ensuring that sensitive payment card data is kept out of the contact center in the first place and is never recorded or stored anywhere in its technology infrastructure. This means the entire contact center environment stays out of the scope of PCI DSS, allowing organizations to both maintain customer trust and reduce the risk of a brand-damaging data breach.
There are also substantial non-compliance related benefits to implementing a DTMF masking solution in a call center:
- Better Customer Experience – The best DTMF masking solutions never require a call to be rerouted or transferred. CSRs remain in constant verbal communication with the customer while taking a payment, allowing easy assistance if any issues occur.
- Reduction in Average Handling Time– The solution provides a single point of numerical entry, reducing opportunities for error during the collection of payment information. Because of this, information doesn’t need to be recaptured or corrected by the CSR, removing the need for a representative to read back or confirm the card details to the caller. In addition, while the customer enters their credit card information, the CSR is free to carry out wrap-up activities during this time.
- Better CSR Experience – Not having the CSR exposed to sensitive payment data removes the need for restrictive PCI controls for employees. The CSR can be given access to the tools they need to do their job effectively without having to go through excessive security procedures.
- Lower Risk of Data Being Hacked – Because payment card data is no longer being stored, transmitted, or processed within the contact center infrastructure, hackers are not able to steal payment card information. Hackers can’t hack what you don’t hold!
Yet, despite the many benefits of DTMF masking, the PCI SSC’s updated Guidance makes it clear that it does have one potential, and sometimes significant risk: DTMF Bleed.
What is DTMF Bleed and How Can It Be Stopped?
Some DTMF masking solutions rely on DTMF detection to understand when to begin masking the tones. This can introduce a delay and the initial portion of the DTMF tone may not be masked. This is an example of what’s known as DTMF Bleed; where DTMF tones have been identified but for whatever reason not completely obfuscated. The PCI SSC stresses that to be compliant, organizations must ensure that all DTMF tones – even the smallest, initial portions of the "DTMF Bleed" that may have been inadvertently missed by the masking process – are not present in the environment.
If DTMF bleed occurs, there is the potential for DTMF digits to be exposed, meaning card data is revealed, and the organization is brought back into scope for PCI DSS. Testing has found that even with a bleed duration as short as 2-3 milliseconds, a DTMF digit could be exposed, highlighting just how crucial it is to ensure all DTMF bleed is removed.
Noncompliance due to even the smallest DTMF bleed could be extremely detrimental to an organization – both financially and with regards to its reputation. Fines for non-compliance can range from $5,000 to $100,000 per month! There could also be additional fines for repeat violations, depending on the merchant’s acquiring bank. These fines can be reassessed monthly – rising over time – until the merchant is in full compliance. If the merchant still doesn’t comply, its ability to accept credit cards may eventually be revoked.
How to Prevent DTMF Bleed
Fortunately, there are actionable steps contact centers and payment processors can take to mitigate the risk of DTMF Bleed:
- Work with a Qualified Security Assessor (QSA). These experts are well-versed in PCI DSS compliance and may be more vigilant in monitoring and responding to solutions that are allowing DTMF Bleed to occur in the first place.
- Ensure proper testing and monitoring. The PCI SSC guidance recommends ‘regular review of the signal to validate the efficiency of the DTMF solution’. There are freely available engineering tools like Audacity or Wireshark that can be used to test for DTMF Bleed and easily identify telephony environments where card data is leaking.
- Check that your DTMF masking solution has built-in bleed protection and bleed removal features to ensure DTMF digits cannot be recovered.
In order to protect their customers’ payment card data and ensure their organizations are fully PCI DSS compliant, contact center professionals must be well educated on the subject of DTMF masking technology and the potential for bleed. It only takes one mistake – in this case, a few milliseconds long – to expose an organization to the potential for fraud or a head-line grabbing data breach that damages the company’s reputation. But with the right technology solutions, proper testing and the help of data security experts, contact centers can ensure they are safeguarding not only their most sensitive data, but also their most valuable asset: their customers’ trust.
Today's Tip of the Day - Repeat Calls
More Editorial From Semafone
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Published: Thursday, April 25, 2019
ConSol bridges the gap between governments, corporations institutions and their stakeholders using technology, facility provides efficient services in exchange of valuable information solutions that i...
Jacada is a provider of contact centre productivity solutions. The company 19s solutions help customers rapidly simplify and improve high-value business processes without the need for long and expensi...
Maintaining multi-channel customer support via phone, fax, web and email can be a heavy burden for a company to bear. In addition to maintaining a high quality support system that takes advantage of t...
Salesforce.com delivers software-as-service offering a family of on demand solutions for integrated sales force automation, campaign management, customer service and support, and document and file man...