The image of dual tone multi frequency signalling (DTMF) has come in for a makeover recently in contact centers. The engine behind automated IVR menus for many years, it also now facilitates new ‘keypad payment by phone’ technology to help keep customers’ card numbers safe when paying over the phone for goods and services.
The birth of DTMF
But DTMF has been around for a lot longer than either of the above uses. More commonly known as ‘touchtone phone’ technology (a registered trade mark of AT&T from its launch in 1963), DTMF is the signal you generate when you press or touch each key on your phone to convey the numbers you’re dialling, which progressively replaced the old loop disconnect (‘pulse’ or IWF) dialling method used by the rotary-dial telephones of yesteryear.
Each touch tone key, when pressed or touched, generates two tones of specified frequencies which can be carried by circuits designed to carry voice traffic. But one is generated from a high-frequency group and the other from a low frequency group – hence ‘dual tone’ – so that a voice can’t imitate those tones. Then at the phone company end, DSPs (digital signal processors) are used to detect DTMF digits and translate them into numbers and # and * (and less commonly, the ABCD keys).
The development of ‘tone phones’ and IVR
In telephony, the DTMF technology behind tone phones (also known in the UK as MF4) has facilitated many additional features such as caller return, caller display, reminder call, call waiting, three-way calling, call diversion, call barring, call minder and call sign. It also allows for the acknowledgment of messages and alarms from pagers and, in banking, the transmission of your account number and sort code. In fact it can be used to convey any combination of numbers such as the digits from your postcode; passport numbers; PIN numbers; birth dates; and in the USA, your all-important social security number.
But perhaps the most prevalent use of DTMF has been IVR to control the routing of calls in call centers : “Interactive Voice Response is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via a keypad” (Wikipedia).
Following a flowchart of pre-recorded messages combined with menus of choices for the caller, IVR offers many applications and benefits so that incoming calls and queues can be dealt with better (and often via automation), improving the service to callers and freeing up agents to handle more complex enquiries, whilst also identifying and segmenting callers to prioritise, direct or divert calls to the most appropriate agent or group.
PCI DSS compliance in contact centers
It was the introduction by the card brands (Visa, Mastercard, AMEX etc) of the payment card industry data security standards (PCI DSS) in 2004 which gave impetus to developing DTMF for handling card payments by phone in call centers, as an aid to improving card payment security and PCI DSS compliance.
This means of taking card payments securely by phone uses the same DTMF touchtone technology, but in the middle of the conversation between customer and agent, when the agent asks the customer to enter their card numbers using their phone keypad whilst still live on the call and without interrupting it. It can also be used with automated IVR systems to process customer self-service card payments by phone 24/7/365 without live agent assistance, which is why it is often referred to as IVR payment technology, although this rather misses the point about its more common mid-call use in conversation with call center agents.
Of course, because DTMF uses tones to convey the numbers, this tonality could in theory be deciphered by anyone intercepting them, which is why the technology has been developed to flatten or mask the tones – hence the terminology ‘DTMF suppression’, ‘DTMF masking’ or ‘DTMF clamping’ to describe the use of DTMF for card payments in this way.
This new way of processing card payments over the phone has two key credit card payment security and compliance benefits:
- As the card numbers are conveyed by the masked DTMF tones and the customer no longer reads them out, they cannot be compromised by rogue agents or criminals eavesdropping or hacking.
- This digital method of transmitting them cannot be picked up in call recordings either, as is the case with the storage of calls where customers read out their card numbers, which can be vulnerable to hackers and card data breaches.
Use of this DTMF payment technology has really taken off in the last few years as merchants look for ways to protect their customers and their businesses from the increasing financial and reputational risk of data breaches, as well as increased pressure from banks and regulators to comply with PCI DSS to protect against such threats.
Syntec is one of a small number of companies holding patents for the use of DTMF for card payment by phone in call centers as used in our CardEasy system. Using this technology effectively eliminates the need to have PCI DSS controls in place in contact centers because the individual card digits are encrypted and sent to the merchant’s payment services provider for payment authorisation without ever entering the contact center environment or systems, thus reducing risk and removing the need for monitoring of agents and also ‘pause & resume’ (stop/start of call recordings) to try and control that risk.
Securing card payments in contact centers in this way has benefits for customers and merchants alike, improving trust and also streamlining the payment process (as the agent no longer has to take card numbers down and enter them), as well as introducing improved customer choice such as 24/7 automated payments by combining DTMF with IVR. It has already been further developed for use in webchat and alongside speech recognition and will see further innovation yet.
With digital technology continuing to drive our lives, new security and compliance challenges will be thrown up, which DTMF has already proven its versatility in tackling. For instance the new GDPR regulations coming into force in May 2018 impose further protection of customer data on EU organizations and those dealing with EU customers. The use of DTMF card payment technology already reduces the sensitive data a merchant holds, thus helping with GDPR compliance alongside PCI DSS.
Compliance risks and the variety of deployment options for DTMF payments
There are of course still risks associated with DTMF payment technology in contact centers. For instance if you use DECT (wireless technology) headsets, these can have eavesdropping vulnerabilities where the DTMF tones could in some circumstances be picked up. A more common issue though is when customers are asked to enter their card numbers using their phone keypad but still read them out whilst keying them in. This of course defeats the underlying security purpose of the DTMF payment process since agents, call recordings and eavesdroppers could still pick this up, so you need to use a system designed to overcome this potential problem too.
There is also quite a significant range of deployment options available, including fully hosted (where the phone traffic is handled by the same company as the DTMF payment integration); on- premise (using equipment at the merchant’s end so as to be telephony agnostic); or completely cloud based (usually in AWS cloud) for global reach. These can be further complicated by whether you have ISDN or SIP telephony (or are in transition) and whether you want agent assisted payments, IVR-automated payments or a mixture of both. So you really need to speak to a company with deep experience and understanding of telecommunications technology and strategy to help you deal with all of these options and compliance needs and to find out how DTMF can best be deployed for processing card payments by phone in your own organization.