Latest research and PCI guidelines confirm that DTMF masking is the new standard in MOTO telephone payment security

GDPR, PCI DSS

Latest research and PCI guidelines confirm that DTMF masking is the new standard in MOTO telephone payment security

It seems that major customer data breaches are hitting the headlines with increased frequency. British Airways, Ticketmaster, Sears, Adidas, Macys, Kmart, Delta Airlines, Best Buy and MyFitnessPal are just some of the big name brands that have been hit in 2018 so far, and of course Marriott announced last week a hack affecting up to 500 million customers.

So itโ€™s no surprise that the latest update of Syntecโ€™s payment security consumer attitude tracking research reveals that concerns are now even greater about the risks of paying merchants by phone in the MOTO (mail order/telephone order) environment, to the extent that almost two thirds now say that there are times when they donโ€™t buy something because of this โ€“ a proportion that has risen by almost 20% to 63% in just two years. Similarly, 31% of consumers now say that they never make payments by phone, up from just 19% who said the same in 2016.

The costs of a breach can be significant, both in terms of the direct expenses such as legal fees, forensic experts and compensation to the victims as well as indirect costs such as the time and effort spent notifying victims, and of course the loss of brand reputation and customer trust, higher customer turnover and damage to share value.

Consumers are growing more concerned about paying by phone

Our newly updated research further supports this, indicating that 81% of consumers would not give their details to a company that they knew had been breached. Even in cases where there hasnโ€™t been a breach, consumers are still reluctant to hand over their card details, with 65% saying they are reluctant to make payments over the phone and 60% saying the risk of call center fraud stops them making payments by phone.

Are consumers right to be concerned? The interviews we conducted with payment security experts across the industry, from merchant companies and payment providers to consultants and QSAs, show that the answer to this question is a clear โ€˜yesโ€™. Card payment fraud in contact centers is on the rise, largely because fraudsters view contact centers as the weakest link in many organizationsโ€™ security.

Experts agree the risks of a breach are high

Most of the experts we interviewed agree that itโ€™s not a question of โ€˜ifโ€™ a company gets breached but rather of โ€˜whenโ€™. This means that if organizations are storing payment card details within their own systems then they are vulnerable to having that data compromised.

Given that both the risk of being breached and also consumer concern about payment card security are growing, and the additional awareness of such data protection issues from the publicity around the GDPR legislation which put more onus on this for merchants in May 2018, itโ€™s vital not only for merchants to take all the steps they can to ensure that their customers payment card details are secure, but that consumers see them to be secure.

Experts and consumers both select DTMF masking as the best way to ensure card security

Whatโ€™s the best way to do this? Our research shows that both consumers and industry experts are in agreement here. When asked how organizations should best avoid fraud in contact centers, โ€œusing secure technology to hide the card details from both the call center agent and the call recordingโ€ was the most popular response by a significant margin, selected by 42% of respondents.

This aligns with the views of the payment security experts and client organizations we interviewed. All the client organizations interviewed were looking for technical solutions to help them de-scope from PCI DSS. The view amongst the PCI assessors and security experts is that, whilst mitigating controls such as pause and resume (stop start) for call recordings can be useful in reducing risk, the best option for organizations is to de-scope entirely by creating a โ€˜no card data environmentโ€™ – and that DTMF masking is the best way to achieve this.

DTMF masking technologies enable consumers to enter their card details using their telephone keypads. The DTMF tones are then replaced with flat sounds before they reach the agent, who often hears only a single repetitive tone. The result is that the different tones made by the customerโ€™s telephone keypad are concealed such that the agent cannot identify them by their sound.

The days of reading card details out over the phone are numbered

Thereโ€™s pretty much universal agreement that the days of asking consumers to read their card details out over the phone are coming to an end. Consumers donโ€™t like it and industry experts suggest that there are virtually no circumstances in which this approach is necessary. โ€œReading your card numbers out is not an efficient way of doing things, nor is it secure.โ€ says Kevin Dowd, ex-Chairman of the CNS Group and payment security expert, โ€œIn almost all instances, there is absolutely no need for a company to even see credit card data thatโ€™s going to bring them into PCI scope. DTMF is the solution for telephone payments. If I were running a call center thatโ€™s how I would do it.โ€

It is clear from our research that consumers value the security of their data very highly and will adapt their behaviour accordingly, not shopping with organizations they perceive to be insecure, so the fact that an organization is offering completely secure telephone payment should be promoted to consumers as a significant benefit. Switching to DTMF masking for telephone payments makes the consumer responsible for entering their card numbers just as they do in a retail or e-commerce environment and removes the risk of a data breach and the costs associated with that, as well as speeding up the payment process, reducing errors and improving efficiency.

โ€œThe biggest benefit [of switching to DTMF masking] has been the fact that we no longer have that dark cloud lingering over our heads. Not if we’re going to get breached, but rather when we’re going to get breached and when we do get breached, what’s going to happen. We no longer have to think about it. The liabilities are now gone. We’ve been able to streamline everything in a way, so that the collection of data is much more efficient.โ€ says Carlos Moreno Tobon of Locus Telecommunications LLC.

The updated guidelines protecting telephone-based payment card data from the global PCI Security Standards Council, state that “For organizations committed to taking payments over the telephone, consideration should be given to techniques that minimize exposure of PAN and SAD to the telephone environment and balance that with user/customer experience requirements, with the object of significantly reducing the CDE [cardholder data environment] or eliminating the CDE altogether.” This further underlines that DTMF masking is becoming the new standard as recognised by the body set up by the card brands (Visa, Mastercard, American Express etc.) to oversee this whole area.

“A properly designed and deployed DTMF-masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope.”

Protecting telephone-based payment card data, PCI Security Standards Council, November 2018

The days of customers reading out their card details over the phone are clearly numbered!