No matter what industry you operate in, if your call or contact center accepts payments over the phone, odds are that data security is one of your highest priorities. Protecting payment card data and other sensitive information is not only essential to maintaining customer trust and protecting the business from fraudsters; it is also required by a number of different legal regulations and industry standards – from the EU’s General Data Protection Regulation (GDPR) to the Payment Card Industry’s Data Security Standard (PCI DSS) and more. Contact center professionals may already be familiar with solutions like Dual-Tone Multi-Frequency (DTMF) masking to help protect telephone-based payments and meet compliance with these regulations, but what many do not realize is that not all DTMF masking implementations are fool-proof. In fact, some forms of DTMF masking can include technical risks that must be mitigated in order to ensure you’re adequately protecting card data and maintaining PCI DSS compliance.
Late last year, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly-revised Guidance for Protecting Telephone-based Payment Card Data. In the updated guidance, the Council highlights DTMF masking as a viable method for descoping the contact center and its data from PCI DSS compliance. However, it also raised the issue of a potential risk associated with this technology: DTMF Bleed. Before we dive deeper into what DTMF Bleed is and how you can prevent it, let’s take a closer look at DTMF masking and how it works:
What is DTMF masking?
A DTMF masking solution enables contact centers to securely accept payments over the phone. Rather than reading their payment card details aloud to a customer service representative (CSR), the caller can simply input their card numbers themselves, by using their telephone’s touchtone keypad. DTMF masking replaces the keypad tones with a flat tone, which ensures that the card numbers are not heard by the CSR or captured on call recordings. Throughout the transaction, the CSR is able to remain in full voice communication with the customer in order to answer any questions that may arise.
Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, bypassing the CSR and their desktop. This provides a way for companies to process sensitive information without it being handled directly by the contact center – thereby keeping the contact center and its IT and telephony infrastructure out of the scope of compliance for PCI DSS.
How Proper DTMF Masking Helps PCI DSS Compliance
One of the biggest benefits of DTMF masking is that it allows a contact center to record phone calls without worrying about capturing sensitive cardholder data on the recording. Organizations in highly regulated industries such as financial services are often mandated to record all telephone conversations that involve financial transactions with customers. Even organizations in other industries may record customer calls for a variety of reasons such as for training, quality control, legal purposes, or even to measure customer sentiment. These organization’s contact centers are then faced with the challenge of how to record calls while still complying with PCI DSS, which stipulates that sensitive authentication data such as three or four-digit security codes (CID, CVC2, CVV2 or CAV2) must never be recorded or stored.
Some organizations implement Pause-and-Resume (or Stop/Start) recording systems, as they appear to offer a quick fix by enabling the call recording to be either manually or automatically paused at the point of payment and resumed once payment is complete. But Pause-and-Resume only prevents the card data from being recorded and stored when used properly 100 percent of the time. In reality, this method can often be prone to errors and exposes organizations to considerable risk. CSRs may forget to pause the recording before the customer reads their payment card numbers or may forget to resume the call once the customer is done. Automated Pause-and-Resume solutions, as well, are far from perfect and can frequently make mistakes. Moreover, with Pause-and-Resume solutions, though the call recording is paused, the CSR can still hear the customer’s card details being relayed verbally and could choose to write them down, for fraudulent use later.
DTMF masking eliminates the need for Pause-and-Resume by ensuring that sensitive payment card data is kept out of the contact center in the first place and is never recorded or stored anywhere in its technology infrastructure. This means the entire contact center environment stays out of the scope of PCI DSS, allowing organizations to both maintain customer trust and reduce the risk of a brand-damaging data breach.
There are also substantial non-compliance related benefits to implementing a DTMF masking solution in a call center:
Yet, despite the many benefits of DTMF masking, the PCI SSC’s updated Guidance makes it clear that it does have one potential, and sometimes significant risk: DTMF Bleed.
What is DTMF Bleed and How Can It Be Stopped?
Some DTMF masking solutions rely on DTMF detection to understand when to begin masking the tones. This can introduce a delay and the initial portion of the DTMF tone may not be masked. This is an example of what’s known as DTMF Bleed; where DTMF tones have been identified but for whatever reason not completely obfuscated. The PCI SSC stresses that to be compliant, organizations must ensure that all DTMF tones – even the smallest, initial portions of the "DTMF Bleed" that may have been inadvertently missed by the masking process – are not present in the environment.
If DTMF bleed occurs, there is the potential for DTMF digits to be exposed, meaning card data is revealed, and the organization is brought back into scope for PCI DSS. Testing has found that even with a bleed duration as short as 2-3 milliseconds, a DTMF digit could be exposed, highlighting just how crucial it is to ensure all DTMF bleed is removed.
Noncompliance due to even the smallest DTMF bleed could be extremely detrimental to an organization – both financially and with regards to its reputation. Fines for non-compliance can range from $5,000 to $100,000 per month! There could also be additional fines for repeat violations, depending on the merchant’s acquiring bank. These fines can be reassessed monthly – rising over time – until the merchant is in full compliance. If the merchant still doesn’t comply, its ability to accept credit cards may eventually be revoked.
How to Prevent DTMF Bleed
Fortunately, there are actionable steps contact centers and payment processors can take to mitigate the risk of DTMF Bleed:
In order to protect their customers’ payment card data and ensure their organizations are fully PCI DSS compliant, contact center professionals must be well educated on the subject of DTMF masking technology and the potential for bleed. It only takes one mistake – in this case, a few milliseconds long – to expose an organization to the potential for fraud or a head-line grabbing data breach that damages the company’s reputation. But with the right technology solutions, proper testing and the help of data security experts, contact centers can ensure they are safeguarding not only their most sensitive data, but also their most valuable asset: their customers’ trust.
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Published: Thursday, April 25, 2019
Accordia Solution CIS
Accordia Solution is an innovative developer of seamlessly integrated cost-effective omnichannel Contact Center Solutions specifically targeted at the micro, small and medium operations.Our core business model involves the development and marketing of IP Telephony and IP Contact Center Solutions. We also strive to develop customer interaction solutions which include contact center and customer relationship management (CRM) that enhances Customer Experience Of The Future (CEOTF) and optimizes agent productivity.
Our flagship product, the Accordia Customer Interaction Suites (CIS), offers comprehensive functionality by helping your business meet and exceed the level of service in line with...
PH: +603 5569 9816
Genesis Intelligent Series
Genesis is the latest advancement in Amtelco’s long line of call center solutions. This call center technology is entirely software-based and virtualized, with cloud-based capability. Genesis provides skills-based automatic call distribution (ACD), built-in speech recognition, text-to-speech (TTS), and voice services to improve call routing and management.
|4.)||Arise Virtual Solutions|
The Arise Platform
Arise is a pioneer of on-demand customer management business process outsourcing solutions, headquartered in Florida. Through the cloud-based Arise Platform, Fortune 50 and other companies connect to Service Partners who deliver authentic, loyalty-building interactions with their customers. Delivering radical flexibility to meet even extreme contact volume fluctuations, the award-winning Arise Platform is an innovative alternative to the traditional contact center.
Aspect Via is the premier large-enterprise cloud contact center platform and solution featuring best-of-breed contact management and workforce optimization applications. Cloud neutral technology enables businesses to choose the cloud, hosted or hybrid deployment environment they prefer.
Astute Agent gives your agents everything they need to work cases confidently and efficiently. This modern case management CRM is the preferred choice for Consumer Relations and Customer Care teams who support some of the world’s most prestigious brands.
Astute Agent balances agent efficiency with customer experience. Here’s how:
- Automated email responses
Using natural language processing, Astute Agent reads incoming customer emails and automatically supplies a response to agents to review and send.
- Auto-populated case fields
AI capabilities automatically suggest reason codes, product codes, and other case information, saving agents minutes per case.
- Time-saving case feat...
INBOX allows any digital interaction to be blended into single or multiple queues with zero service interruption with implementation. Organising them by business context with smart tagging and search filters, the events can be automatically prioritised and categorised. Automating the route to the correct agent or business orchestration rule. It also connects with all your social media channels, enabling you to respond and route accordingly in real-time. Customer sentiment is also indicated. Use it to measure trends across your business or by a single event so that your agents can easily prioritise responses.
PH: 01483 242526
|8.)||Brook Trout Solutions|
CCaaS, SIP Trunking, SD WAN, Interconnectivity
Brook Trout Solutions provides Technology Guide services to help Contact Centers to the best possible solution for their business. This includes:
CCaaS: Talk Desk, Five 9s, Nice, Genesys and more
SIP Trunks: Many Global Providers to lower cost and improve operational efficiency
SD WAN: Connect to customers rapidly with the latest network technology to scale with flexibility.
Our service are at no cost to our customers. We look forward to meeting you!
|9.)||Call Center Studio|
Call Center Studio
Call Center Studio is the world’s first call center built on Google and is one of the most secure and stable systems with some of the industry’s best reporting. It is one of the most full-featured enterprise grade systems (with the most calling features, one of the best call distribution, outbound dialing features and integrations—including IVR, AI Speech Recognition, blended inbound/outbound calling and includes Google’s new Dialogflow and Speech API. Call Center Studio is the absolute easiest to use (with a 10 minute setup), and is the price performance leader with lower equipment cost and less setup time.
PH: +1 512-872-7565
|10.)||Call Tracking Metrics|
CallTrackingMetrics is the only contact center solution with marketing attribution software built in. Our powerful UCaaS platform lets you know upfront who is calling in, what campaigns they were referencing, and their previous history with your company. Partnering this data with tools to automate and streamline your team’s workflow frees you up to focus on truly delighting your customers.
Conditionally direct calls, texts, chats and forms based on:
• Actions the customer has taken on your website
• Whether they’ve previously contacted your business
• Which agent they last interacted with
• Custom criteria unique to your business needs
• The location nearest to your customer
Welcome to CallShaper – Harnessing the Power of the Cloud for Greater Sales Efficiency
For sales-based call centers, where margins are so tight, it’s all about closing. Thanks to CallShaper, inbound or outbound call center directors can have a dynamic, highly flexible platform that enables sales agents to focus on making the sale.
Thanks to CallShaper’s flexibility, call center directors who are managing multiple vendors from multiple locations can have everything they need on one platform that offers 99.999% reliability. And when it comes to reporting, CallShaper has no equal in providing real-time transparency.
With CallShaper, clients quickly find that they are better able to manage efficiencies at the sales rep level – and make more money!
|12.)||Cloud Call Center Search|
From AI - WFO and everything in between!
Cloud Call Center Search has spent hundreds of hours evaluating and vetting leading cloud software applications (Omni-Channel, Artificial Intelligence, Business Intelligence, Workforce Management and many others) and their actual use in the trenches with real-world clients. As a result, we understand the strengths and weaknesses of cloud-based call center software solutions. At NO charge, Cloud Call Center Search will match your organization with the cloud software providers that are the best fit to drive positive ROI in your customer experience, sales, and back-office operations.
|13.)||Cloud IT Services GmbH|
Dialfire offers you a complete call center solution that is simple and intuitive to use and adapts to your needs. It's completely cloud-based, saving you the hassle of setting up a phone system and installing software. In addition to predictive dialing and call blending of inbound calls, you can create personalized campaigns through an intuitive and easy-to-use interface. Features include automated workflows and full control over the agent screen.
You can see the full list of features here:
Cloud contact centre technology with built in gamification tools, workforce optimiser, omni-channel, speech analytics, artificial intelligence, quality assurance, PCI-DSS payment platform, form builder and much more features. All seamlessly integrating with almost 100% of your inhouse applications & CRM systems - creating one powerful workflow platform. Increasing productivity, customer engagement, saving you cost. Available in opex model - pay per license per month. No binding contracts with NO cost for 24/7/365 support and full training with built in SLA.
PH: +27 73 485 8072 / +27 61 192 680
Consilium AWS and Amazon Connect Offering
Imagine a cloud-based contact center that can make customer engagement easy, deliver answers, assistance, and resolutions in a very personal manner, and in the context of your customers’ actions. Amazon Connect is a self-service, cloud-based contact center that provides a seamless omnichannel experience through a single unified platform for voice and chat. Contact center agents and managers don’t have to learn multiple tools, because Amazon Connect has the same contact routing, queuing, analytics, and management tools in a single UI across voice, chat, and mobile interface. Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 175 fully...
PH: (+61) 406 501 368
Cloud contact software that makes customer contact pain free, so your team aren’t worrying about complex technology and can focus on what they do best. Take control, and design the perfect agent interface with a drag-n-drop visual editor. Combined with AI, leverage data-driven contact strategies to ensure the right agent is contacting your customers at the right time & on the right channel.
Content Guru makes engagement easy. A global leader in cloud communications solutions, we deliver off-the-shelf and bespoke customer engagement and cloud contact centre services, through the multi-award-winning 𝘀𝘁𝗼𝗿𝗺® platform.
Europe’s largest Customer Engagement and Experience platform, 𝘀𝘁𝗼𝗿𝗺, brings together intelligent automation, third-party systems integration, and on-demand scalability to enhance all customer communication functions. With true omni-channel engagement capabilities, 𝘀𝘁𝗼𝗿𝗺 gives organisations the power to create consistent and seamless experiences for customers, inspiring loyalty and powering success.
CSX Cloud provides a full omnichannel cloud-based turn-key customer communications solution as a service based on a monthly subscription with no long term commitments. Our easy to use solution and top-notch customer service makes it an easy choice to get started today.
Edify connects businesses with customers and employees with each other. The company’s Business Communications as a Service (BCaaS) platform, Huddle, is the only one that unites unified communications (UC), contact center (CC) and communications platform (API) functionality in a single software solution that lets users move seamlessly among channels within one conversation. Edify removes all the risk of using its cloud-based platform with five free users forever, global availability, real-time redundancy, usage-based pricing and a 100% SLA uptime guarantee.
Empirix Hammer Cloud
Empirix is the recognized leader of end-to-end contact center test automation and script development solutions on the market. Our renowned product line, Hammer, offers functional, regression, systems integration, performance, and customer experience testing for on premises, hybrid, and cloud environments. We also offer work-from-home test solutions to ensure continuity of experience for your customers across any environment.
Hammer Cloud Platform (HCP) is Empirix’s new comprehensive, test automation offering that integrates functional, regression, systems integration, performance, and customer experience testing into an intuitive, software-as-a-service (SaaS) solution.
With HCP, it’s...
PH: +1 978 313 7000