No matter what industry you operate in, if your call or contact center accepts payments over the phone, odds are that data security is one of your highest priorities. Protecting payment card data and other sensitive information is not only essential to maintaining customer trust and protecting the business from fraudsters; it is also required by a number of different legal regulations and industry standards – from the EU’s General Data Protection Regulation (GDPR) to the Payment Card Industry’s Data Security Standard (PCI DSS) and more. Contact center professionals may already be familiar with solutions like Dual-Tone Multi-Frequency (DTMF) masking to help protect telephone-based payments and meet compliance with these regulations, but what many do not realize is that not all DTMF masking implementations are fool-proof. In fact, some forms of DTMF masking can include technical risks that must be mitigated in order to ensure you’re adequately protecting card data and maintaining PCI DSS compliance.
Late last year, the Payment Card Industry Security Standards Council (PCI SSC) unveiled its newly-revised Guidance for Protecting Telephone-based Payment Card Data. In the updated guidance, the Council highlights DTMF masking as a viable method for descoping the contact center and its data from PCI DSS compliance. However, it also raised the issue of a potential risk associated with this technology: DTMF Bleed. Before we dive deeper into what DTMF Bleed is and how you can prevent it, let’s take a closer look at DTMF masking and how it works:
What is DTMF masking?
A DTMF masking solution enables contact centers to securely accept payments over the phone. Rather than reading their payment card details aloud to a customer service representative (CSR), the caller can simply input their card numbers themselves, by using their telephone’s touchtone keypad. DTMF masking replaces the keypad tones with a flat tone, which ensures that the card numbers are not heard by the CSR or captured on call recordings. Throughout the transaction, the CSR is able to remain in full voice communication with the customer in order to answer any questions that may arise.
Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, bypassing the CSR and their desktop. This provides a way for companies to process sensitive information without it being handled directly by the contact center – thereby keeping the contact center and its IT and telephony infrastructure out of the scope of compliance for PCI DSS.
Sponsor message - content continues below this message
2022 '17th annual' Global Contact Center World Awards NOW OPEN
Enter your Center, Strategy, Technology Innovation, Teams and Individuals into the ONLY TRULY GLOBAL awards program - regarded by many as being like the Olympics for the Contact Center World! Join the best from over 80 nations and compete for the most prestigious awards out there!
Content continues ….
How Proper DTMF Masking Helps PCI DSS Compliance
One of the biggest benefits of DTMF masking is that it allows a contact center to record phone calls without worrying about capturing sensitive cardholder data on the recording. Organizations in highly regulated industries such as financial services are often mandated to record all telephone conversations that involve financial transactions with customers. Even organizations in other industries may record customer calls for a variety of reasons such as for training, quality control, legal purposes, or even to measure customer sentiment. These organization’s contact centers are then faced with the challenge of how to record calls while still complying with PCI DSS, which stipulates that sensitive authentication data such as three or four-digit security codes (CID, CVC2, CVV2 or CAV2) must never be recorded or stored.
Some organizations implement Pause-and-Resume (or Stop/Start) recording systems, as they appear to offer a quick fix by enabling the call recording to be either manually or automatically paused at the point of payment and resumed once payment is complete. But Pause-and-Resume only prevents the card data from being recorded and stored when used properly 100 percent of the time. In reality, this method can often be prone to errors and exposes organizations to considerable risk. CSRs may forget to pause the recording before the customer reads their payment card numbers or may forget to resume the call once the customer is done. Automated Pause-and-Resume solutions, as well, are far from perfect and can frequently make mistakes. Moreover, with Pause-and-Resume solutions, though the call recording is paused, the CSR can still hear the customer’s card details being relayed verbally and could choose to write them down, for fraudulent use later.
DTMF masking eliminates the need for Pause-and-Resume by ensuring that sensitive payment card data is kept out of the contact center in the first place and is never recorded or stored anywhere in its technology infrastructure. This means the entire contact center environment stays out of the scope of PCI DSS, allowing organizations to both maintain customer trust and reduce the risk of a brand-damaging data breach.
There are also substantial non-compliance related benefits to implementing a DTMF masking solution in a call center:
Yet, despite the many benefits of DTMF masking, the PCI SSC’s updated Guidance makes it clear that it does have one potential, and sometimes significant risk: DTMF Bleed.
What is DTMF Bleed and How Can It Be Stopped?
Some DTMF masking solutions rely on DTMF detection to understand when to begin masking the tones. This can introduce a delay and the initial portion of the DTMF tone may not be masked. This is an example of what’s known as DTMF Bleed; where DTMF tones have been identified but for whatever reason not completely obfuscated. The PCI SSC stresses that to be compliant, organizations must ensure that all DTMF tones – even the smallest, initial portions of the "DTMF Bleed" that may have been inadvertently missed by the masking process – are not present in the environment.
If DTMF bleed occurs, there is the potential for DTMF digits to be exposed, meaning card data is revealed, and the organization is brought back into scope for PCI DSS. Testing has found that even with a bleed duration as short as 2-3 milliseconds, a DTMF digit could be exposed, highlighting just how crucial it is to ensure all DTMF bleed is removed.
Noncompliance due to even the smallest DTMF bleed could be extremely detrimental to an organization – both financially and with regards to its reputation. Fines for non-compliance can range from $5,000 to $100,000 per month! There could also be additional fines for repeat violations, depending on the merchant’s acquiring bank. These fines can be reassessed monthly – rising over time – until the merchant is in full compliance. If the merchant still doesn’t comply, its ability to accept credit cards may eventually be revoked.
How to Prevent DTMF Bleed
Fortunately, there are actionable steps contact centers and payment processors can take to mitigate the risk of DTMF Bleed:
In order to protect their customers’ payment card data and ensure their organizations are fully PCI DSS compliant, contact center professionals must be well educated on the subject of DTMF masking technology and the potential for bleed. It only takes one mistake – in this case, a few milliseconds long – to expose an organization to the potential for fraud or a head-line grabbing data breach that damages the company’s reputation. But with the right technology solutions, proper testing and the help of data security experts, contact centers can ensure they are safeguarding not only their most sensitive data, but also their most valuable asset: their customers’ trust.
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Published: Thursday, April 25, 2019
A flexible way to take secure, PCI DSS compliant payments from home or remote locations. It’s quick to deploy needs no changes to processes or systems.
CallGuard Remote prevents agents from seeing, hearing or recording card details so, the agent, their screen, and any call recordings are removed from the scope of PCI DSS.
This simple approach means the customer effectively types their own payment information into the agent’s payment screen, but with the card details being shielded from the agent’s view. It’s simple, and highly effective.
SPEED & PLUS
The SPEED solution solves for service level issues while cost optimizing the environment with automation.
Provides an enhanced way to speed up & optimize invoking temporary agent skills configuration changes into the contact center environment.
Speed allows you to schedule both future changes & temporary changes that auto-revert back to the original state when scheduled time expires.
*Automated / Scheduled Temporary Agent Skills Configuration Management
*Immediate Temporary or Reoccurring Schedule Skills Configuration Changes
*Easy to Use/Operations Administration Focused
*Descriptive Monitoring Activity Dashboard
*Detailed “End to End’ Audit Trail and Perfor...
VADS Business Continuity Plan
VADS provides a business continuity plan by providing full outsource services and manage services. we've provided this to several clients. You can contact us for a detailed study case.
|4.)||Teckinfo Solutions Pvt. Ltd.|
Adapting to the new normal contact center industry has to be ready for work from anywhere agents to maintain business continuity. Even when working from remote locations, the work from home agents or remote agents need to be monitored for smooth customer service operations or effective tele sales.
InterDialog UCCS with its work from home agent ready call center software helps you to have complete control over your contact center operations. Agents can log in from any where , home, office or any other place where they are through their mobile phone or desktop , or even through our ID mobile app . With centralized recording & reporting , you gain visibility of all contact center metrics , and you can manage your center the same way as you were doing when working from office.