Cookie Preference Centre

Your Privacy
Strictly Necessary Cookies
Performance Cookies
Functional Cookies
Targeting Cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, your device or used to make the site work as you expect it to. The information does not usually identify you directly, but it can give you a more personalized web experience. You can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, you should know that blocking some types of cookies may impact your experience on the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Cookies used

Performance Cookies

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.

Cookies used

Google Analytics

Functional Cookies

These cookies allow the provision of enhance functionality and personalization, such as videos and live chats. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.

Cookies used




Targeting Cookies

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.

Cookies used


This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties


Here are some suggested Connections for you! - Log in to start networking.

Article : Preventing Dual-Tone Multi-Frequency (DTMF) Bleed for PCI DSS Compliance

#contactcenterworld, @Semafone

No matter what industry you operate in, if your call or contact center accepts payments over the phone, odds are that data security is one of your highest priorities. Protecting payment card data and other sensitive information is not only essential to maintaining customer trust and protecting the business from fraudsters; it is also required by a number of different legal regulations and industry standards – from the EU’s General Data Protection Regulation (GDPR) to the Payment Card Industry’s Data Security Standard (PCI DSS) and more. Contact center professionals may already be familiar with solutions like Dual-Tone Multi-Frequency (DTMF) masking to help protect telephone-based payments and meet compliance with these regulations, but what many do not realize is that not all DTMF masking implementations are fool-proof. In fact, some forms of DTMF masking can include technical risks that must be mitigated in order to ensure you’re adequately protecting card data and maintaining PCI DSS compliance.

Late last year, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly-revised Guidance for Protecting Telephone-based Payment Card Data. In the updated guidance, the Council highlights DTMF masking as a viable method for descoping the contact center and its data from PCI DSS compliance. However, it also raised the issue of a potential risk associated with this technology: DTMF Bleed. Before we dive deeper into what DTMF Bleed is and how you can prevent it, let’s take a closer look at DTMF masking and how it works:

What is DTMF masking?

A DTMF masking solution enables contact centers to securely accept payments over the phone. Rather than reading their payment card details aloud to a customer service representative (CSR), the caller can simply input their card numbers themselves, by using their telephone’s touchtone keypad. DTMF masking replaces the keypad tones with a flat tone, which ensures that the card numbers are not heard by the CSR or captured on call recordings. Throughout the transaction, the CSR is able to remain in full voice communication with the customer in order to answer any questions that may arise.

Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, bypassing the CSR and their desktop. This provides a way for companies to process sensitive information without it being handled directly by the contact center – thereby keeping the contact center and its IT and telephony infrastructure out of the scope of compliance for PCI DSS.

Sponsor message - content continues below this message

2022 '17th annual' Global Contact Center World Awards NOW OPEN

Enter your Center, Strategy, Technology Innovation, Teams and Individuals into the ONLY TRULY GLOBAL awards program - regarded by many as being like the Olympics for the Contact Center World! Join the best from over 80 nations and compete for the most prestigious awards out there!


Content continues ….

How Proper DTMF Masking Helps PCI DSS Compliance

One of the biggest benefits of DTMF masking is that it allows a contact center to record phone calls without worrying about capturing sensitive cardholder data on the recording. Organizations in highly regulated industries such as financial services are often mandated to record all telephone conversations that involve financial transactions with customers. Even organizations in other industries may record customer calls for a variety of reasons such as for training, quality control, legal purposes, or even to measure customer sentiment. These organization’s contact centers are then faced with the challenge of how to record calls while still complying with PCI DSS, which stipulates that sensitive authentication data such as three or four-digit security codes (CID, CVC2, CVV2 or CAV2) must never be recorded or stored.

Some organizations implement Pause-and-Resume (or Stop/Start) recording systems, as they appear to offer a quick fix by enabling the call recording to be either manually or automatically paused at the point of payment and resumed once payment is complete. But Pause-and-Resume only prevents the card data from being recorded and stored when used properly 100 percent of the time. In reality, this method can often be prone to errors and exposes organizations to considerable risk. CSRs may forget to pause the recording before the customer reads their payment card numbers or may forget to resume the call once the customer is done. Automated Pause-and-Resume solutions, as well, are far from perfect and can frequently make mistakes. Moreover, with Pause-and-Resume solutions, though the call recording is paused, the CSR can still hear the customer’s card details being relayed verbally and could choose to write them down, for fraudulent use later.

DTMF masking eliminates the need for Pause-and-Resume by ensuring that sensitive payment card data is kept out of the contact center in the first place and is never recorded or stored anywhere in its technology infrastructure. This means the entire contact center environment stays out of the scope of PCI DSS, allowing organizations to both maintain customer trust and reduce the risk of a brand-damaging data breach.

There are also substantial non-compliance related benefits to implementing a DTMF masking solution in a call center:

  • Better Customer Experience – The best DTMF masking solutions never require a call to be rerouted or transferred. CSRs remain in constant verbal communication with the customer while taking a payment, allowing easy assistance if any issues occur.

  • Reduction in Average Handling Time– The solution provides a single point of numerical entry, reducing opportunities for error during the collection of payment information. Because of this, information doesn’t need to be recaptured or corrected by the CSR, removing the need for a representative to read back or confirm the card details to the caller. In addition, while the customer enters their credit card information, the CSR is free to carry out wrap-up activities during this time.

  • Better CSR Experience – Not having the CSR exposed to sensitive payment data removes the need for restrictive PCI controls for employees. The CSR can be given access to the tools they need to do their job effectively without having to go through excessive security procedures.

  • Lower Risk of Data Being Hacked – Because payment card data is no longer being stored, transmitted, or processed within the contact center infrastructure, hackers are not able to steal payment card information. Hackers can’t hack what you don’t hold!

Yet, despite the many benefits of DTMF masking, the PCI SSC’s updated Guidance makes it clear that it does have one potential, and sometimes significant risk: DTMF Bleed.

What is DTMF Bleed and How Can It Be Stopped?

Some DTMF masking solutions rely on DTMF detection to understand when to begin masking the tones. This can introduce a delay and the initial portion of the DTMF tone may not be masked. This is an example of what’s known as DTMF Bleed; where DTMF tones have been identified but for whatever reason not completely obfuscated. The PCI SSC stresses that to be compliant, organizations must ensure that all DTMF tones – even the smallest, initial portions of the "DTMF Bleed" that may have been inadvertently missed by the masking process – are not present in the environment.

If DTMF bleed occurs, there is the potential for DTMF digits to be exposed, meaning card data is revealed, and the organization is brought back into scope for PCI DSS. Testing has found that even with a bleed duration as short as 2-3 milliseconds, a DTMF digit could be exposed, highlighting just how crucial it is to ensure all DTMF bleed is removed.

Noncompliance due to even the smallest DTMF bleed could be extremely detrimental to an organization – both financially and with regards to its reputation. Fines for non-compliance can range from $5,000 to $100,000 per month! There could also be additional fines for repeat violations, depending on the merchant’s acquiring bank. These fines can be reassessed monthly – rising over time – until the merchant is in full compliance. If the merchant still doesn’t comply, its ability to accept credit cards may eventually be revoked.

How to Prevent DTMF Bleed

Fortunately, there are actionable steps contact centers and payment processors can take to mitigate the risk of DTMF Bleed:

  • Work with a Qualified Security Assessor (QSA). These experts are well-versed in PCI DSS compliance and may be more vigilant in monitoring and responding to solutions that are allowing DTMF Bleed to occur in the first place.

  • Ensure proper testing and monitoring. The PCI SSC guidance recommends ‘regular review of the signal to validate the efficiency of the DTMF solution’. There are freely available engineering tools like Audacity or Wireshark that can be used to test for DTMF Bleed and easily identify telephony environments where card data is leaking.

  • Check that your DTMF masking solution has built-in bleed protection and bleed removal features to ensure DTMF digits cannot be recovered.

In order to protect their customers’ payment card data and ensure their organizations are fully PCI DSS compliant, contact center professionals must be well educated on the subject of DTMF masking technology and the potential for bleed. It only takes one mistake – in this case, a few milliseconds long – to expose an organization to the potential for fraud or a head-line grabbing data breach that damages the company’s reputation. But with the right technology solutions, proper testing and the help of data security experts, contact centers can ensure they are safeguarding not only their most sensitive data, but also their most valuable asset: their customers’ trust.

#contactcenterworld, @Semafone

About Semafone:
Company LogoSemafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Company RSS Feed   Company Facebook   Company Twitter   Company YouTube   Company LinkedIn   Company Profile Page

Today's Tip of the Day - Every Contact Counts

Read today's tip or listen to it on podcast.

Published: Thursday, April 25, 2019

Printer Friendly Version Printer friendly version

2021 Buyers Guide Business Continuity


CallGuard Remote
A flexible way to take secure, PCI DSS compliant payments from home or remote locations. It’s quick to deploy needs no changes to processes or systems.

CallGuard Remote prevents agents from seeing, hearing or recording card details so, the agent, their screen, and any call recordings are removed from the scope of PCI DSS.

This simple approach means the customer effectively types their own payment information into the agent’s payment screen, but with the card details being shielded from the agent’s view. It’s simple, and highly effective.

OpsTel Services

The SPEED solution solves for service level issues while cost optimizing the environment with automation.

Provides an enhanced way to speed up & optimize invoking temporary agent skills configuration changes into the contact center environment.

Speed allows you to schedule both future changes & temporary changes that auto-revert back to the original state when scheduled time expires.

Speed features:

*Automated / Scheduled Temporary Agent Skills Configuration Management
*Immediate Temporary or Reoccurring Schedule Skills Configuration Changes
*Easy to Use/Operations Administration Focused
*Descriptive Monitoring Activity Dashboard
*Detailed “End to End’ Audit Trail and Perfor...
(read more)


VADS Business Continuity Plan
VADS provides a business continuity plan by providing full outsource services and manage services. we've provided this to several clients. You can contact us for a detailed study case.

Teckinfo Solutions Pvt. Ltd.

InterDialog UCCS
Adapting to the new normal contact center industry has to be ready for work from anywhere agents to maintain business continuity. Even when working from remote locations, the work from home agents or remote agents need to be monitored for smooth customer service operations or effective tele sales.

InterDialog UCCS with its work from home agent ready call center software helps you to have complete control over your contact center operations. Agents can log in from any where , home, office or any other place where they are through their mobile phone or desktop , or even through our ID mobile app . With centralized recording & reporting , you gain visibility of all contact center metrics , and you can manage your center the same way as you were doing when working from office.

About us - in 60 seconds!

Submit Event

Upcoming Events

Everything You Want To Know About The Most Prestigious Awards In The Industry! Read More...

Latest Americas Newsletter
both ids empty
session userid =
session UserTempID =
session adminlevel =
session blnTempHelpChatShow =
session cookie set = True
session page-view-total =
session page-view-total =
applicaiton blnAwardsClosed =
session blnCompletedAwardInterestPopup =
session blnCheckNewsletterInterestPopup =
session blnCompletedNewsletterInterestPopup =