By Aaron Lumnah, Senior Manager, Demand Generation
For many organizations, the contact center is the beating heart of their customer service operation and one of the front lines for communicating with clients. Perhaps even more importantly, the contact center can act as a major hub for payment transactions. For this reason, it’s vital to employ a solution that can process these payments efficiently & securely… protecting sensitive customer data is essential for any business.
When considering how to secure telephone payments in your contact centers, there are a number of technologies available to companies. DTMF masking, clamping, shunting, or suppression is one of them. Let’s take a look into what this technology entails and how it compares.
What is DTMF Masking?
According to Wikipedia, dual-tone multi-frequency (DTMF) is an in-band telecommunication signaling system using the voice-frequency band over telephone lines between telephone equipment and other communications devices and switching centers. In other words, as Margaret Rouse puts it, “DTMF is the signal to the phone company that you generate when you press an ordinary telephone’s touch keys.”
With DTMF masking, rather than someone verbally saying numerical information to a customer service representative (CSR), it is typed into a telephone keypad. Each touch of the keypad generates a corresponding signal which is sent down the call line. Prior to the signaling reaching the contact center environment, it is intercepted by a device which converts it to a data packet, and then passes it directly to its final destination. This provides a way for companies to process sensitive information without it being handled directly by the contact center, and alleviates the need for solutions like pause and resume, or stop/start recording.
How does it work for credit card payment processing?
DTMF suppression can be used to process card payments taken over the telephone. Instead of having a customer read their payment card number aloud to the contact center agent, customers can simply share their card number by inputting it into their telephone keypad. During this process, the incoming data is intercepted and the agent neither sees, nor hears the card number. Instead, they hear flat tones that all sound like zeroes or ones and are presented with masked digits on their desktop in real time.
Once the customer has input the numbers and the system has verified that the information is correct, it can then seamlessly pass the transaction data through to the payment service provider (PSP) for processing, by-passing the agent and their desktop as they do so.
Throughout a transaction no sensitive data is entering the contact center and is not stored or recorded anywhere. Most importantly, the agent is able to stay on the line in full communication with the customer for the duration of the transaction, helping them to troubleshoot if necessary.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is made up of twelve requirements. These requirements cover a wide range of topics, including securing networks, protecting data, access control measures, information security practices, and monitoring and testing. Its overarching aim is that cardholder data be protected by any organization that stores, transmits, or processes this information. Compliance is enforced by regular audits carried out by either a professional Qualified Security Assessor (QSA), Internal Security Assessor (ISA), or through a Self-Assessment Questionnaire (SAQ).
Non-compliance can result in fines, likely to be imposed by the card issuers via the acquiring banks, for any merchant who fails to meet the required standard.
Any organization that takes credit card payments is subject to the rules laid out in the PCI DSS, and they also apply to payments taken over the phone. For those companies taking payments inside a contact center, they must make sure that they:
- Demonstrate evidence of compliance with over 400 security controls which are applicable to any part of the contact center environment handling card data.
- Ensure that sensitive authentication data (CVC2/CVV2 security code) is not stored in any format anywhere, including call recordings.
- Vet new CSRs and conduct appropriate background checks; an expensive and time-consuming process
- Make sure data cannot be removed from the call center by any means; usually by restricting the use of pens and paper and banning mobile phones from the contact center
Fortunately, DTMF masking solutions like Semafone’s Cardprotect Voice+ can stop cardholder data being exposed to the contact center environment, greatly reducing the number of applicable PCI DSS controls for the merchant. Because of this, the Payment Card Industry Security Standards Council (PCI SSC) recognizes DTMF masking as one of the most comprehensive solutions for securing cardholder data and reducing the scope of the contact center for compliance purposes, stating that call “recordings will not capture CHD or SAD if DTMF masking/suppression is implemented prior to the data reaching recording systems (when DTMF is the only acceptance channel).”
Technologies for PCI DSS Compliance
In the past, four alternative methods have been used to help with PCI DSS compliance in the contact center:
’Pause-and-Resume’ call recording solutions – Pausing the call recording at the moment a payment is being taken is often suggested as a means for contact centers to comply with PCI DSS. In reality ‘Pause-and-Resume’ solutions only help merchants with a small part of their PCI footprint, not storing credit card information on call recordings. The CSR, the desktop, plus the remainder of the contact center infrastructure is still in scope for PCI DSS.
In fact, in its Guidance for Protecting Telephone-based Card Payments, the PCI SSC states on page 44 that when using a pause-and-resume solution, “recordings may capture [cardholder data] or [sensitive authentication data]…depending on the accuracy of the pause-and-resume process.” For this reason, the PCI SSC requires the implementation of many stringent and onerous controls to ensure that cardholder data never makes its way onto call recordings, including having managers manually listen to recordings to verify this.
Additionally, in section 6.5.1, when explaining the ability for pause-and-resume to reduce scope within the contact center, the guidance states:
“Pause-and-resume technologies may be manual or automated, and whilst a properly implemented pause-and-resume solution could reduce applicability of PCI DSS by taking the call-recording and storage systems out of scope, the technology does not reduce PCI DSS applicability to the agent, the agent desktop environment, or any other systems in the telephone environment.”
As such, pause-and-resume methods serve as an incomplete solution in addressing the issue of scope reduction for PCI DSS compliance, leaving a broad swath of the contact center still in scope and liable for protection. Organizations using pause-and-resume leave the agent environment, the VoIP network, the agent desktop, and anything else CHD touches still in scope.
Taking the assertion further that pause-and-resume is an incomplete solution, in section 6.4.1, the guidance explicitly states:
“Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business requirement to do so.”
Because pause-and-resume methods leave everything except the call recording in scope for PCI DSS compliance, pause-and-resume methods are not an acceptable solution for compliance purposes unless there is an extenuating business requirement that necessitates their use.
Encryption of call recordings – Many organizations believe that encrypting their call recordings will manage the risks of storing sensitive card data. However, while good encryption is easy, good key management is not. Managing these encryption keys provides additional headaches to the business and leaves data susceptible to being exposed through poor key management. In addition, under PCI DSS the CVC2/CVV2 security code cannot be stored under any circumstances, even if it is encrypted.
White or clean room contact center environments – Both pause-and-resume and encryption of the call recordings deal solely with PCI DSS requirement 3, protecting stored cardholder data. In order to meet PCI DSS requirement 9, restrict physical access to cardholder data, some merchants attempt to implement a white or clean room environment. CSRs must go through security checkpoints before entering and leaving the contact center, and they are not allowed to have access to the internet or email, their mobile phones, personal items, or even a pen and paper. Because of the strictness of these environments, employee morale can be low, leading to high staff turnover rates.
Automated Payment IVR solutions – Using voice recognition or keypad entry, these systems allow payments to be taken outside of the standard contact center environment. This is achieved by having the IVR system on a segregated part of the companies’ network or using a third-party hosted solution. They require the call to be routed to an automatic system where customers are more likely to drop out at the sign of difficulty. Either the customer ends up giving their payment details to a CSR rather than a machine, or they hang up entirely and a sale is lost.
Benefits of Implementing DTMF Masking
Implementing a DTMF masking solution like Semafone’s Cardprotect Voice+ provides the simplest route to PCI DSS compliance in the contact center and also provides many other additional benefits:
Better Customer Experience – Semafone’s DTMF masking solution never requires a call to be rerouted or transferred. CSRs remain in constant verbal communication with the customer while taking a payment, allowing easy assistance if any issues occur.
Reduction in Average Handling Time – The solution provides a single point of numerical entry, reducing opportunities for error during the collection of payment information. Because of this, information doesn’t need to be recaptured or corrected by the CSR, removing the need for a representative to read back or confirm the card details to the caller. In addition, while the customer enters their credit card information, the CSR is free to carry out wrap up activities during this time.
Better CSR Experience – Not having the CSR being exposed to sensitive payment data removes the need for restrictive PCI DSS controls. The CSR can be given access to the tools they need to do their job effectively without having to go through excessive security procedures. Adopting Cardprotect Voice+ also allows for the use of omnichannel support without the risk of card data being stolen by a rogue agent.
Lower risk of data being exploited – Because payment card data is no longer being stored, transmitted, or processed within the contact center infrastructure, hackers are not able to steal payment information. They can’t hack data, you don’t hold!
The partial solutions outlined above have been adopted by a fairly large number of businesses. However, they fail to fully meet the customer service requirements demanded by the 21st century customer. DTMF masking is the only solution that keeps sensitive payment card data completely out of the contact center, while maintaining the highest level of customer experience.