2024 DTMF Masking Guide: Everything You Need to Know

How DTMF Masking or Suppression can help towards PCI compliance when taking card payments over the phone

Or continue reading below…

What is DTMF masking?

DTMF masking is a security measure that replaces or suppresses the tones generated when phone keys are pressed with flat or indistinguishable tones. This prevents sensitive information, such as credit card details, from being intercepted or decoded.

DTMF technology, developed in the 1960s, revolutionized telephony by allowing push-button dialing. Each button on a phone keypad generates a unique pair of tones, enabling faster and more reliable connections. Over the decades, DTMF has become integral to interactive voice response (IVR) systems and automated phone services. Today implementing DTMF masking is essential for any organization that handles phone transactions, ensuring both compliance and security.

The Infosec Institute reports that human error is a major contributor to data breaches, with up to 74% of incidents involving some human element. Implementing security measures like DTMF masking can effectively reduce this risk by ensuring that sensitive data is not accessible to contact center agents or recorded during calls, thus minimizing the potential for human error to lead to data breaches.

For many organisations having the ability to take payments over the phone is a must, but with the Financial Conduct Authority (FCA) regulations and the new General Data Protection Regulation (GDPR), obtaining Payment Card Industry Data Security Standard (PCI-DSS) compliance can often be a challenge. Having an all-encompassing secure and compliant solution is something organisations strive towards, with Dual Tone Multi-frequency (DTMF) masking becoming an important aspect of this.

Contents

What are DTMF tones?

DTMF tones are series of audio signals generated when a telephone user presses the individual numbers of a telephone keypad (as well as the “#” and “*”). Each key produces a combination of two specific frequencies. In order to prevent a voice from imitating the DTMF tones, one is generated from a high-frequency group of tones and the other from a low frequency group. However, with the right hacking software, these DTMF signals can easily be decoded. 

These tones are used to signal the numbers dialed and are crucial for the operation of telephony systems, including IVR and automated dialing.

The Challenge Faced by Financial Services Firms

The FCA regulations impose that any financial firm that provides services to consumers must record their phone calls for training and monitoring purposes in order to prevent, detect and deter market abuse. The Payment Card Industry Data Security Standard (PCI-DSS), on the other hand, outlines that in order to be compliant no card sensitive data can be recorded or stored by the organisation.

DTMF Masking and Suppression

While DTMF masking and DTMF suppression are often used interchangeably, there are subtle differences. Both techniques are used to secure sensitive information during phone transactions.

DTMF masking helps organisations obtain PCI compliance whilst continuing to take payments over the phone and record their calls. This works as one solution to the problem, allowing customers to input sensitive card details into their phone without any concerns that the cardholder data can be exposed at the other end.

Without DTMF masking organisations could risk malicious attacks targeting their customers’ data, including possible internal threats from any “rogue agents” within their contact centres. Having the ability to access card details and other personal information puts customers at a much higher risk of fraudulent activity, so corporate security is improved dramatically by removing this specific data completely from the organisation’s network.

So, no matter the size of your business, PCI DSS is there to protect your customers and their data, assisting in the prevention of a data breach which could have a huge impact.

The study indicates that the implementation of advanced security technologies like DTMF masking can substantially mitigate the risk of data breaches. The effectiveness of these measures is reflected in the reduced number of data breach incidents reported by organizations utilizing such technologies. (Security Intelligence)

How DTMF Masking Works

DTMF masking works by intercepting the tones generated when a user presses phone keys and replacing them with a flat or indistinguishable tone. This process ensures that the sensitive information remains secure and cannot be decoded by unauthorized parties. The masked tones are then transmitted securely to the payment gateway for processing.

Route-2-New-voice-regontion_03_03

1

The customer is on the phone with the agent.

2

When the customer is ready to make a payment, the agent can continue the conversation on a new, secure call – all within a few seconds

3

The customer can provide debit or credit card details by reading them out, entering via a digital payment link or using their telephone keypad.

4

Sensitive information is never seen or heard by the agent, and they can stay on the call to assist. The details are processed by the payment gateway provider

5

The agent can follow the customer’s progress on a dashboard, they do not see or hear any sensitive cardholder data.

6

Once the payment is completed, the agent can move on to the next customer​
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-1

1

The customer calls the organisation to make a payment.
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-2

2

When the customer is ready to make a payment, the agent can continue the conversation on a new, secure call – all within a few seconds
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-3

3

The customer can provide debit or credit card details by reading them out, entering via a digital payment link or using their telephone keypad.
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-4

4

Sensitive information is never seen or heard by the agent, and they can stay on the call to assist. The details are processed by the payment gateway provider
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-5

5

The agent can follow the customer’s progress on a dashboard, they do not see or hear any sensitive cardholder data.
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-6

6

Once the payment is completed, the agent can move on to the next customer​

DTMF Suppression Within Contact Centres

For a lot of customers, making a payment over the phone to an organisation usually means either reading their card details out to an agent, to voice recognition software or inputting digits into their telephone to be received by the organisation. In any of these circumstances, there will always be risks behind them, this may be from hackers gaining access to call logs or logged card details, along with ‘rogue agents’ copying customer data for malicious purposes.

DTMF masking is a great way of reducing these risks and adhering to PCI-DSS.

  • While the customer inputs their card details into their phone, the tones that are generated from each key are intercepted and the agent is presented with masked data that is stripped of any sensitive information. The agent never sees the sensitive card number, is unable to write any details down but is still informed if the card details are valid and when payment is successful.
  • Once the transaction data is verified by the system, the payment service provider (PSP) seamlessly processes the payment. As no sensitive information ever enters the organisation’s contact centre and the customer can trust that their payment data is protected.
DTMF-Masking
Agent Assisted Payment Agent Circle 500

DTMF Suppression and PCI Compliance

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Once this standard of compliance was introduced in 2004, it gave way for DTMF suppression to be used as a method of improving card payment security over the phone, ensuring that organisations could become fully compliant.

Not only is DTMF masking used when a customer is on the phone to a call agent, as previously mentioned, but it can also be used with IVR systems and is often referred to as IVR Payment Technology. This is due to the convenient way organisations can securely take payments 24/7/365 without the need for human intervention.

Although DMTF masking has the added benefit of shielding sensitive data from a call agent, when used with a Payment IVR it will continue to flatten or mask the keypad tones from anyone with the malicious intent to intercept the call and decipher the data.

pci-dss-logo-circle-purple

Benefits of DTMF Masking

Case Study: DTMF Masking in Agent Assisted Payments

Background
Broward County Water & Wastewater Services (WWS) serves over 600,000 residents, providing essential services such as water supply and wastewater treatment. Ensuring the security of customer payment information during phone transactions was a critical requirement for WWS to maintain trust and comply with regulatory standards.

Challenge
WWS faced challenges in securing sensitive payment information during agent-assisted phone transactions. The existing system required agents to manually process payments, which posed risks of data breaches and non-compliance with PCI DSS standards. The organization needed a solution to protect sensitive cardholder data and enhance the overall security of their payment process.

Solution
Key IVR implemented a DTMF masking solution for WWS, integrated with their agent-assisted payment system. The solution intercepted and masked the DTMF tones generated when customers entered their payment information via telephone keypad. This ensured that sensitive data could not be accessed by agents or intercepted during transmission, meeting PCI DSS compliance requirements.

According to the 2024 Verizon Data Breach Investigations Report (DBIR), robust security measures, including DTMF masking, are crucial in lowering the chances of sensitive data being intercepted during phone transactions. The DBIR highlights that the implementation of comprehensive security solutions, such as DTMF masking, significantly reduces the risk of data breaches, supporting the statistic that organizations using these measures can reduce data breach incidents by up to 70%. (Verizon)

DTMF Masking and Twin Clamp Technology

DTMF masking is a vital technology for securing phone transactions, ensuring sensitive data remains protected during the transmission process. It works by intercepting and masking the tones generated when a user enters payment information via their telephone keypad, thus preventing unauthorized access.

However, for even greater security, twin clamp technology offers an additional layer of protection. By clamping the phone signal at both the start and end of the network, twin clamp technology effectively eliminates the risk of data leakage across all phone networks. This approach goes beyond masking by stripping out all sensitive information, leaving only the audio behind.

Key IVR’s Agent Assisted Payment solution employs this dual clamping method, which not only meets FCA regulations by enabling complete call recordings but also ensures PCI DSS compliance. This comprehensive security measure significantly enhances corporate security and builds customer trust by ensuring that sensitive data is never exposed. Investing in these advanced technologies helps organizations tackle serious security risks and maintain a secure and compliant business environment.

Talk to Key IVR and let us help you reduce serious security risks within your contact center with our PCI-DSS-compliant solutions. We work with you to design a solution that tackles your individual business challenges.

Contact us on +44 (0) 1302 513 000 or email sales@keyivr.com

Conclusion

DTMF masking is a critical technology for securing phone transactions and ensuring compliance with industry standards such as PCI DSS.

This technology intercepts and masks the tones generated when customers enter their payment information via telephone keypads, protecting sensitive data from interception and unauthorized access.

By understanding the benefits of DTMF masking — including enhanced security, regulatory compliance, increased customer trust, and cost savings — organizations can safeguard their operations against data breaches and fraud. 

The seamless integration of DTMF masking with existing phone and IVR systems makes it a practical solution for businesses in finance, e-commerce, healthcare, and beyond. Investing in DTMF masking is a proactive step toward creating a secure, compliant, and trustworthy business environment. As the landscape of cyber threats evolves, DTMF masking will continue to play a vital role in protecting sensitive information and maintaining customer confidence.

FAQ about DTMF masking

We’ve put together some commonly asked questions to give you more information about DTMF Masking technology and its benefits to your business.

DTMF masking is a security measure that replaces the tones generated by pressing phone keys to protect sensitive information.
DTMF masking ensures that sensitive card information is not recorded or stored, helping organizations meet PCI DSS standards by protecting cardholder data during phone transactions.
DTMF masking intercepts and replaces keypad tones in IVR systems, securing sensitive data during phone transactions.
Benefits include enhanced security, compliance with regulatory standards, increased customer trust, and cost savings.
Yes, DTMF masking can be seamlessly integrated with most existing phone and IVR systems.
In contact centers, DTMF masking protects sensitive information by ensuring that agents cannot hear or record the tones generated when customers enter their payment details, thus reducing the risk of data breaches.
Any business handling phone transactions, especially those in finance, e-commerce, and healthcare, should consider implementing DTMF masking to protect sensitive data and ensure compliance with security standards.
DTMF masking improves customer trust by providing a secure method for entering payment information, reassuring customers that their sensitive data is protected during phone transactions.
Companies should assess their current phone systems, choose a compatible DTMF masking solution, integrate it with their existing infrastructure, conduct thorough testing, and train staff on its benefits and usage.

Need help with DTMF masking?

Submit your details and a payment specialist will be in touch.

We can offer support and guidance to de-scoping your organisation from PCI and achieving compliance.

Mark Kelly

Chief Commercial Officer (CCO) (UK) & VP International Sales (US)