What is DTMF Masking and why is it critical for PCI DSS Compliance and Payment Security?
As the front line for customer service, the contact centre not only answers service queries but plays a significant role in collecting payments. Many customers prefer talking to agents but collecting phone-based payments has inherent security risks, mainly if the organisation doesn’t have systems in place like IPSI’s AgentSecure, secure desktop payment processes or secure pay by phone IVR services to protect sensitive credit card data.
The reality is that voice calls with a contact centre agent are often not appropriate channels to collect confidential data such as credit or debit card numbers, social security numbers, national IDs, PINs, CVV’s.
That is where advanced DTMF masking services have many benefits when it comes to securing payment data. DTMF stands for Dual-Tone Multi-Frequency, and it is how phone companies know what number is pressed when a customer touches the numbers on the telephone keypad. Mobile phones and landline systems use DTMF. DTMF is the generic term for Touch-Tone (touch-tone is a registered trademark of ATT). Your touch-tone® phone is technically a DTMF generator that produces DTMF tones as you press the telephone buttons. Each number generates or corresponds to a distinct tone, which is sent as a signal to the switching system that translates it back to the original number to take the necessary action.
Instead of providing credit card information verbally to a contact centre agent, customers enter the digits of the credit cards during a call or via an automated IVR system and completes the transaction securely in real time. The IPSI payment processor at the backend deciphers the tones just like the switching system does and processes the payment information with the contact centre agent removed from the process of capturing credit card information. All the contact centre agent sees are masked digits on their desktop so that they can see the information is being entered but won’t see the actual credit card numbers being entered. This process is much more secure as agents no longer see, hear or process customer credit card information.
The potential for fraud with DTMF
With the growth of e-commerce and online banking, DTMF tones are increasingly becoming a target for sophisticated cybercriminals. There is also a growing trend where cybercriminals target flaws in telecommunication network design. One specific target has been DTMF tones.
While the use of DTMF for keying in the information solves one layer of the privacy problem, malicious agents and cybercriminals can intercept the DTMF tones and can decipher the numbers. It’s also possible that call recordings between customers and agents could be analysed and credit card details stolen.
These details which are likely to be recorded can include debit or credit card numbers, pin numbers and CVVs. To ensure this information is secure, these tones need to be protected and masked so they cannot be identified and stolen.
DTMF fraud can also occur through denial of service attacks by crashing payment call processing software by keying in an unsupported sequence of tones combined with a large number of requests.
What is DTMF masking?
DTMF masking involves intercepting substituting (masking) the unique audible tones with flat tones so that people who hear the DTMF data cannot decipher the numbers.
The masking software usually sits between the caller and the call centre (or contact centre) system and converts the DTMF tones to flat tones.
The key benefit of DTMF masking is that the audible tones are not identifiable either by the agent, or any malicious software or tools that may intercept or interpret the DTMF tones. They are converted to flat tones that have been ‘masked’ to appear the same, this removes the risk of that data being stolen and used for criminal purposes. Thereby reducing businesses fraud and financial exposure.
PCI DSS Compliance and DTMF masking
The Payment Card Industry Data Security Standard (PCI DSS) has been in existence for over 10 years and mandates 12 requirements for storing, processing and transmitting credit card and payment related data.
The recent update to the DSS standard on May 2018 mandates these twelve requirements.
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
As you can see, as many as four of those requirements have to do with the cardholder data with requirements to protect, encrypt and restrict access to cardholder data.
Requirement 4 is specifically relevant, and it states:
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
- Only trusted keys and certificates are accepted.
- The protocol in use only supports secure versions or configurations.
- The encryption strength is appropriate for the encryption methodology in use.
Examples of open, public networks include but are not limited to:
- The Internet
- Wireless technologies, including 802.11 and Bluetooth
- Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)
- General Packet Radio Service (GPRS)
- Satellite communications
4.2 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
There are alternatives and temporary stop gaps for DTMF masking. Usually, a combination of the following mechanisms is used.
- Manually pausing the recording when card related data is verbalised.
- Keeping the call centre’s physical space sterile with no pen, paper or any recording devices.
- Training and testing the agents and personnel rigorously.
However, they are cumbersome, prone to human errors and in some cases do not meet the stringent needs for PCI DSS.
DTMF masking addresses requirement 4 of PCI DSS compliance explicitly by using strong cryptography to protect cardholder data.
Find out more: PCI DSS remediation by IPSI
This service offers the added piece of mind because its pre certified in IPSI’s case as being Level 1 PCI DSS security compliant.
Why should you implement DTMF Masking?
DTMF Masking is a key feature of IPSI’s AgentSecure service, our Level 1 PCI DSS Compliant contact centre solution. It has significant benefits to not only achieving security compliance but also improvements to customer service, reduced call handling time and ensures payment card data never enters the contact centre.
Improve your customer experience
A common frustration for customers is losing voice connection with a contact centre agent while the call is diverted to another payment system such as a pay by phone (IVR) service. With AgentSecure, the customer remains in voice contact with the agent while payment data is entered into the phone keypad. Maintaining voice contact gives customers greater confidence in the customer experience and also allows the agent to manage other customer enquiries during the payment process. This, in turn, can reduce abandonment rates, improve customer service and improve cash flow.
Find out more: Contact centre solutions by IPSI
Reduction in call handling time
Call handling times can be improved due to better call efficiency using AgentSecure. Because contact is maintained with the agent, any payment issues such as insufficient funds or input errors can be handled at the time of the call. The process of entering card data into the phone also saves time as the agent isn’t required to repeat back the numbers for accuracy and can be finalizing background tasks while the customer enters the data.
Reduce PCI DSS scope and reduce the risk and financial costs of a data breach
It has never been more important from both a compliance and legal perspective to reduce your risk of a data breach. The introduction of Australia’s Notifiable Data Breach Scheme in 2018 has made it mandatory for businesses of a certain size to report suspected data breaches to both the Australian Government and the customers it has affected. Suspected data breaches can no longer be ‘swept under the carpet’ as companies risk receiving substantial fines for failing to meet their notification requirements.
IPSI is in the business of helping businesses protect their data and achieve security compliance (PCI DSS) while improving the customer experience. If you wish to speak to a member of our team about AgentSecure and our DTMF Masking technology, contact us on 1300 975 630 or email us at [email protected].