What is DTMF masking and how can it help you ensure PCI DSS compliance in your contact center?

Contact center management, PCI DSS, Security

What is DTMF masking and how can it help you ensure PCI DSS compliance in your contact center?

This article explains how DTMF masking (also known as DTMF suppression or DTMF clamping) works and how a secure payment solution such as CardEasy that uses DTMF masking is the most secure and PCI compliant way to take payments over the telephone.

What are DTMF tones?

DTMF stands for dual tone multifrequency. Each key on a telephone keypad generates a unique DTMF tone when pressed. These tones are transmitted over the voice channel and equipment at the receiving end then ‘listens’ to the tones and translates them into specific commands such as dialling a particular number. The tones can also be used to control remote equipment, navigate an IVR menu or capture sensitive information such as credit or debit card numbers.

Why do DTMF tones need to be ‘masked’?

DTMF tones enable companies to accept card payments over the telephone without the customer having to read their card details out to a contact center agent. However, the ‘raw’ DTMF tones are easily recognizable and software (or even an experienced human) can interpret the tones and recognize the numbers, meaning that hackers or unscrupulous contact center agents could decode someone’s sensitive payment card details if they’re being entered via their telephone keypad. The tones could also be captured in a call recording and the payment card details accessed via the recording.

For this reason, when payment card details are captured using DMTF, the tones need to be masked (known as DTMF masking or DTMF suppression) so that they are not included in call recordings and cannot be translated back into numbers by contact center agents or anyone else who might have access to the live call or a recording of the call.

How does DTMF masking improve security?

Suppressing or masking DTMF tones enables customers to use their telephone keypad to enter payment card details securely. The tones that are generated as the customer enters their card details are intercepted and masked. The agent does not hear the original tones and the tones are not stored in the call recording so cannot then be used to access the customer’s payment card details.

DTMF masking is the recommended approach to  protect telephone-based payments as it enables sensitive payment card data to be entirely removed from the contact center environment. The caller’s card details are not accessible to the agent handling the call, nor are they stored in the call recording, making DTMF masking a much more secure option than alternatives such as clean rooms or ‘pausing’ call recording while a payment is made.  

How does DTMF masking help you de-scope your contact center from PCI DSS?

Using DTMF masking technology effectively eliminates the need to have PCI DSS controls in place in contact centers because the payment card data is encrypted and sent to the merchant’s payment services provider for payment authorisation without ever entering the contact center environment or systems, thus reducing risk and removing the need for monitoring of agents and also ‘pause & resume’ (stop/start of call recordings) to try and control that risk.

Find out more

If you’d like to find out more about how CardEasy uses DTMF masking to ensure payment card security and to help you de-scope your contact center from PCI DSS controls then get in touch with us today.