Ben Rafferty, Chief Innovation Officer
Security may be the most important consideration for any company that is reliant on payment card transactions with both customers and partners. While data breaches make headlines, fraud and theft (from both internal and external sources) are much more pervasive issues – and they are becoming more complex and costlier by the day. And call and contact centres that conduct financial transactions are as vulnerable to these threats as any other merchant.
Fortunately, there are safeguards and technologies in place to mitigate against these known and emerging threats. The Payment Card Industry Security Standards Council (PCI SSC) was formed to help address a wide range of payment card security threats as well as to keep up to date on the changing payment card landscape and to provide reputable compliance standards for companies that depend on credit and debit card transactions. Its 12 requirements are organised into six control objectives relating to the storage, transmission and processing of cardholder data.
Additionally, PCI DSS compliance guidelines provide a framework to limit the risk of financial losses from fraud and other criminal activities. Yet, it is the responsibility of any entity processing payment card information to meet these compliance standards, at a minimum, and to also develop their own systems and protocols to ensure payment card security, privacy and other steps to mitigate risk and fraud. We recently detailed important information on new updates to PCI DSS compliant call recordings and have also outlined how PCI DSS compliance helps to protect cardholder data.
But PCI DSS regulations can be far-reaching and their complexity can be a challenge for companies charged with adhering to their standards. As phone payments and other processing technologies have evolved, there has been a convergence with personal privacy and security, creating a need for increased awareness, security compliance and risk mitigation. Many companies in the contact centre space that take payments over the phone turn to Semafone to provide solutions that can assist in the secure processing of transactions and meet the highest levels of regulatory compliance.
Dual-Tone Multi-Frequency (DTMF) Masking
Dual-tone multi-frequency (DTMF) masking is a core method for financial payment processing via call centres that process payment cards. But what is DTMF masking and how does it work to help maintain PCI DSS compliance?
Simply put, dual-tone multi-frequency masking can help organisations reduce risk and enable their contact centres to take secure, PCI DSS compliant payments over the phone. Customers will enter credit card details into their telephone keypad; the incoming card numbers are then intercepted, and the agent is presented with masked (flat tone) digits. Once the system has verified that the information entered is correct, it then seamlessly passes the transaction data through to the payment service provider (PSP) for processing, by-passing the agent and their desktop environment completely. Throughout the transaction, the agent is able to remain in full voice communication with the customer in order to answer any questions that may arise. Meanwhile, sensitive data neither enters the contact centre nor is stored or recorded anywhere, ensuring that the entire payment environment stays out of PCI DSS scope, allowing organisations to both maintain customer trust and reduce the risk of a brand-damaging data breach.
The PCI SSC highlights DTMF Bleed as a potential issue for organisations using DTMF masking solutions in their Information Supplement, Protecting Telephone-Based Payment Card Data:
‘Some implementations of DTMF masking rely on DTMF detection; this may introduce a delay in the masking, and the initial portion of the DTMF tones may not be masked (this is called “DTMF bleed”). It is important to ensure that all DTMF tones, including any initial small portions of “DMTF bleed” that may be inadvertently allowed through a masking process, are not present in the environment.’
When DTMF bleed occurs, there is the potential for a DTMF digit to be exposed, meaning card data is revealed and the organisations is brought back into scope for PCI DSS. This area will be under close scrutiny moving forward and call and contact centres will need to be vigilant about DTMF bleed or risk non- compliance.
Steps to Prevent DTMF Bleed
Despite the obvious risks from DTMF bleed, there are actionable steps payment processing providers and contact centres can take to mitigate this risk.
Qualified Security Assessors (QSAs) must be much more vigilant in monitoring and responding to inferior products that are allowing DTMF bleed to occur in the first place. Proper testing and monitoring is imperative to prevent DTMF bleed; the guidance recommends ‘regular review of the signal to validate the efficiency of the DTMF solution’. Well-known engineering tools like Audacity or Wireshark can be used for DTMF bleed investigation and easily expose telephony environments where card data is leaking. Our testing has found that even with a bleed duration as short as 2-3 milliseconds, a DTMF digit could be exposed, highlighting just how crucial it is to ensure all DTMF bleed is removed.
Organisations should check that their DTMF masking solution has built-in bleed protection. For customers who have issues with DTMF bleed, Semafone’s Cardprotect solution has bleed removal features to ensure DTMF digits can’t be recovered, keeping our customers out of scope for PCI DSS.