Point-to-point encryption (P2PE) vs. DTMF masking for call center PCI DSS compliance


Point-to-point encryption (P2PE) vs. DTMF masking for call center PCI DSS compliance

Call center managers face an array of technical solutions to meet the requirements of PCI DSS and the necessary protection of payment card data for their customers. Two solutions often considered by merchants are point-to-point encryption (P2PE) and DTMF masking. In this blog post I’ll consider the pros and cons of each option.

  • Point-to-point encryption (P2PE) encrypts card data at the pin pad before it enters your data network, thus keeping sensitive cardholder data away from your systems and network.
  • DMTF masking allows your contact center to take card payments securely, using dual-tone multi-frequency (DTMF) capture technology, with the customer using their telephone keypad to provide their payment card data, while the agent and customer remain in conversation. For those merchants using tokenization, the payment data is immediately exchanged for a token and never enters your network or call center environment.

How does P2PE work?

P2PE is a security standard that requires credit card information to be encrypted instantly and then securely transferred directly to the payment processor before it can be decrypted and processed.

This solution requires a point of interaction (POI) device that immediately encrypts the card information using a predefined encryption key provided by the merchant’s payment service provider (PSP).  A frontend application pulls the encrypted data from the POI and passes this to a ‘back office’ system which then sends a transaction to your bank and in the case of tokenization, receives a token in return.  The token is then stored rather than the PAN.

P2PE reduces the risk of payment card fraud by instantly encrypting confidential cardholder data when entered in to the pin pad. This removes the call center’s computers, the network infrastructure, and the payment processing application from PCI DSS scope. However, it leaves the call center agent and telephony environment, (including call recordings), in-scope. It also means that a physical POI device is required at every call center workstation, so the cost of this option can be significant.

How DTMF masking works

DTMF is an in-band telecommunication signalling system using the voice-frequency band over telephone lines.

In DTMF masking, rather than someone verbally reading their PAN and CV2 numbers to a call center agent, it is typed into a telephone keypad by the customer (although a voice response option can be offered in cases where a customer is unable to type their card details). Each touch of the keypad generates a corresponding signal which is sent down the telephone line. Before the signal reaches the call center environment, it is intercepted by CardEasy which converts it to a data packet. The agent is presented with a real-time display during the PAN/CV2 capture process with CardEasy automatically masking digits so that are not visible to the agent.

Once the customer has input the numbers and CardEasy has verified that the information is correct, it seamlessly passes the transaction data through to the payment service provider (PSP) for processing, by-passing the call center environment.  Payment card data does not therefore enter the call center environment at any point during the transaction.

DTMF masking significantly reduces the risk of payment card fraud since payment card data is no longer being stored, transmitted or processed within the call center environment.  Unlike P2PE, DTMF masking also removes the call center agent and the voice network infrastructure, including call recordings, from PCI DSS scope. With DTMF masking the call center computers, hard/soft phones, the voice network infrastructure, the data network infrastructure, the payment processing application, and the physical security at the call center are all removed from PCI DSS scope. By not having the call center agent exposed to sensitive payment data, the need for restrictive PCI DSS controls at the call center is removed along with associated and significant cost.

The long-term cost of DTMF masking is lower and the time to implement is quicker when compared to P2PE.  Call center expansions do not require additional cost unless the voice infrastructure capacity increases, plus the PCI DSS controls are significantly reduced, saving both time and recurring cost (such as the costs of  annual PCI audits, which are substantial).  Using DTMF masking rather than P2PE means that the call center environment no longer stores, transmits, or processes cardholder data, which almost completely de-scopes the call center environment from PCI DSS.

As our own research shows, industry experts agree that de-scoping the call center environment from PCI DSS is the best strategy.  Consumers value the security of their data very highly and are adapting their behaviour accordingly, increasingly making purchase decisions based on factors such as data and payment card security. Offering the ability to pay by phone without having to read out card details to a call center agent shows that a company is taking payment security seriously, which consumers now say is of huge importance to them.