As a Participating Organisation of the Payment Card Industry Security Standards Council (PCI SSC), we have long supported its guidance and standards around protecting payment card data specifically in contact centre and phone payment environments.
In consumer research we conducted in late 2018, we found that almost half of consumers questioned had already experienced a compromise of their personal data. Given these results, data security is becoming a major concern for consumers, and businesses alike. We believe that outdated and impractical solutions for achieving compliance to PCI DSS, such as pause-and-resume, should be replaced by more advanced and customer-centric systems, such as Dual Tone Multi Frequency (DTMF) masking. The PCI SSC’s recent update to the guidelines around telephone payments has recently underlined and supported this view.
The use of DTMF masking technology can eliminate data breaches at the contact centre level by preventing payment data from entering the environment in the first place. This is a very clear prevention method. Meaning that if there is a breach there is no payment data to be compromised as this information never reaches the contact centre infrastructure.
DTMF masking technology works by removing any need for the agent to see, hear or store sensitive payment data. With the customer simply entering their card details using their telephone keypad at the point a payment is required. The best solutions allow the customer and agent to speak at all times during the process, so the voice flow is uninterrupted as the customer enters their details.
As DTMF removes spoken card data, there’s no possibility of the contact centre inadvertently recording sensitive financial information and the burden of data storage rests solely with the payment provider. From a compliance and security perspective, it’s an almost perfect solution…with one exception. DTMF Bleed.
If that terminology sounds sinister, it should. DTMF bleed (often caused by slow-reacting DTMF detection) is a serious problem for some solution vendors and can render a descoped environment in-scope. It occurs if a small amount of DTMF sound passes through the DTMF detector prior to the algorithm recognising and masking it. Put simply, the masking technology meant to secure the process kicks in just too late, potentially exposing payment or personal details. It’s a prevalent feature of older DTMF masking systems.
Because PCI Pal’s cloud technology was purpose-built, DTMF bleed has never been a problem when using our platform to secure payments. It does though remain one of the industry’s lingering problems with some alternative solution providers. Where this is the case, for deployments where DTMF bleed may be present, this means going back to examine, and in some cases actively upgrade, the solutions that were originally installed.
As time consuming and costly as that might be, with 72 per cent of contact centres accepting card payments over the phone, we believe it will be fundamental to ensure that legacy technologies are fit for the purpose of securing sensitive payment data shared over voice channels.