The PCI SSC issues new guidelines for telephone-based payment card data protection


The PCI SSC issues new guidelines for telephone-based payment card data protection

The global Payment Card Industry Security Standards Council (PCI SSC), of which Syntec is a participating member organization, has just published its most important guidance on payment card data security in call centers and contact centers since 2011.

Entitled ‘Protecting Telephone-Based Payment Card Data’, this brings up to date their guidance on how merchants should protect their own customers’ card data in this complex ‘Cardholder Not Present’ (CNP) operating environment, reinforcing the hundreds of security controls which are mandated under the 12 high-level ‘Requirements’ of the Payment Card Industry Data Security Standards (PCI DSS).

Much has changed since guidelines were first published by the PCI SSC for protecting telephone based card data in call centers , not least the rapid growth of cloud infrastructure, multi-channel communication and internet telephony, as well as the advent of the new GDPR data protection legislation.  The threats to customers’ personal data have also increased, as evidenced by the constant media reports of data breaches and identity theft including of card data, as hackers and criminals find contact centers a relatively soft target to exploit.

So a working group of industry experts and consultants, including input from Syntec, has spent many months working through the detail to ensure that the new guidelines are relevant not only to the current technology environments and threats, but also cover the differing needs of merchants globally, from small traders to the largest international enterprises.  All organizations who take card payments must comply with the PCI DSS regulations laid out by the PCI SSC, which was set up in 2006 by the card brands including American Express, MasterCard and Visa Inc. with the specific goal of improving card data security,

Syntec is a level 1 PCI DSS service provider, audited annually against these standards (currently version 3.2) to ensure that our services comply with the standards to the highest level.  So when looking at our CardEasy ‘keypad payment by phone’ solution for contact centers, you can be re-assured that it will meet these new guidelines and the PCI DSS standards, to provide your own customers with the re-assurance they in turn need that their card data is secure   – which our own latest 2018 research paper on PCI DSS in Contact Centers across 3 continents shows consumers are indeed increasingly worried about.

The new guidelines in fact specifically reference the use of the new technology CardEasy is based on, called ‘DTMF masking’ or ‘DTMF clamping’, to de-scope your contact center and call recordings from almost all of the PCI DSS controls, unlike legacy compensating controls such as Pause & Resume (for call recordings) or Clean Rooming (for call center agents) which only tackle part of this complex environment:

“A properly designed and deployed DTMF masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope”.

This is achieved by asking the customer to enter their card numbers on the keypad of their own phone, using the Dual Tone Multi Frequency touchtones to convey the data instead of asking them  to read them out – either in the middle of the call with the agent or using customer self-service IVR menus.  So this technology can be used both for attended payments on the phone or unattended payments – as is already the case with major organizations around the world using CardEasy.

The new PCI SSC guidelines are available here.

If you’d like to talk to me or my colleagues about how the guidelines affect you or how Syntec’s CardEasy system can help your organization achieve a ‘No Cardholder Data Environment’ and provide increased PCI DSS level 1 service and security for your organization’s contact centers and call recordings, then please don’t hesitate to contact us at