What is DTMF masking?
The essential
guide

How DTMF Masking or Suppression can help towards PCI compliance when taking card payments over the phone

Or continue reading below…

What is DTMF masking?

DTMF masking is a safe and effective solution that either replaces the keypad tones or converts the two pitches into a single flat tone to ensure they cannot be decrypted by a hacker or someone within the organisation. The masking software is an efficient way for your organisation to accept payments over the phone securely.

For many organisations having the ability to take payments over the phone is a must, but with the Financial Conduct Authority (FCA) regulations and the new General Data Protection Regulation (GDPR), obtaining Payment Card Industry Data Security Standard (PCI-DSS) compliance can often be a challenge. Having an all-encompassing secure and compliant solution is something organisations strive towards, with Dual Tone Multi-frequency (DTMF) masking becoming an important aspect of this.

Contents

What are DTMF tones?

DTMF stands for “Dual-Tone Multi-Frequency”, a series of audio signals generated when a telephone user presses the individual numbers of a telephone keypad (as well as the “#” and “*”), with each key producing two tones of a specific frequency. In order to prevent a voice from imitating the DTMF tones, one is generated from a high-frequency group of tones and the other from a low frequency group. However, with the right hacking software, these DTMF signals can easily be decoded.

The Challenge Faced by Financial Services Firms

The FCA regulations impose that any financial firm that provides services to consumers must record their phone calls for training and monitoring purposes in order to prevent, detect and deter market abuse. The Payment Card Industry Data Security Standard (PCI-DSS), on the other hand, outlines that in order to be compliant no card sensitive data can be recorded or stored by the organisation.

DTMF masking and suppression

DTMF masking (often called DTMF suppression) helps organisations obtain PCI compliance whilst continuing to take payments over the phone and record their calls. This works as one solution to the problem, allowing customers to input sensitive card details into their phone without any concerns that the cardholder data can be exposed at the other end.

Without DTMF masking organisations could risk malicious attacks targeting their customers’ data, including possible internal threats from any “rogue agents” within their contact centres. Having the ability to access card details and other personal information puts customers at a much higher risk of fraudulent activity, so corporate security is improved dramatically by removing this specific data completely from the organisation’s network.

So, no matter the size of your business, PCI DSS is there to protect your customers and their data, assisting in the prevention of a data breach which could have a huge impact.

Find out more about how we use DTMF suppression:

How DTMF masking works

Route-2-New-voice-regontion_03_03

1

The customer is on the phone with the agent.

2

When the customer is ready to make a payment, the agent can continue the conversation on a new, secure call – all within a few seconds

3

The customer can provide debit or credit card details by reading them out, entering via a digital payment link or using their telephone keypad.

4

Sensitive information is never seen or heard by the agent, and they can stay on the call to assist. The details are processed by the payment gateway provider

5

The agent can follow the customer’s progress on a dashboard, they do not see or hear any sensitive cardholder data.

6

Once the payment is completed, the agent can move on to the next customer​
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-1

1

The customer calls the organisation to make a payment.
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-2

2

When the customer is ready to make a payment, the agent can continue the conversation on a new, secure call – all within a few seconds
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-3

3

The customer can provide debit or credit card details by reading them out, entering via a digital payment link or using their telephone keypad.
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-4

4

Sensitive information is never seen or heard by the agent, and they can stay on the call to assist. The details are processed by the payment gateway provider
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-5

5

The agent can follow the customer’s progress on a dashboard, they do not see or hear any sensitive cardholder data.
Agent-Assisted-Payments-Flows-Warm-Transfer-Step-6

6

Once the payment is completed, the agent can move on to the next customer​

How does DTMF suppression work within contact centres?

For a lot of customers, making a payment over the phone to an organisation usually means either reading their card details out to an agent, to voice recognition software or inputting digits into their telephone to be received by the organisation. In any of these circumstances, there will always be risks behind them, this may be from hackers gaining access to call logs or logged card details, along with ‘rogue agents’ copying customer data for malicious purposes.

DTMF masking is a great way of reducing these risks and adhering to PCI-DSS. Whilst the customer inputs their card details into their phone, the tones that are generated from each key are intercepted and the agent is presented with masked data that is stripped of any sensitive information. The agent never sees the sensitive card number, is unable to write any details down but is still informed if the card details are valid and when payment is successful.

Once the transaction data is verified by the system, the payment service provider (PSP) seamlessly processes the payment. As no sensitive information ever enters the organisation’s contact centre and the customer can trust that their payment data is protected.

Find out more:

DTMF-Masking

DTMF suppression and PCI compliance

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. Once this standard of compliance was introduced in 2004, it gave way for DTMF suppression to be used as a method of improving card payment security over the phone, ensuring that organisations could become fully compliant.

Not only is DTMF masking used when a customer is on the phone to a call agent, as previously mentioned, but it can also be used with IVR systems and is often referred to as IVR Payment Technology. This is due to the convenient way organisations can securely take payments 24/7/365 without the need for human intervention. Although DMTF masking has the added benefit of shielding sensitive data from a call agent, when used with a Payment IVR it will continue to flatten or mask the keypad tones from anyone with the malicious intent to intercept the call and decipher the data.

The benefits of DTMF masking

Twin Clamp Technology - Additional protection on top of DTMF masking

By clamping the phone signal at the start and end of the network, the risk of any data leakage across all phone networks is removed completely. Rather than simply masking the numbers reaching the organisation, Key IVR’s Agent Assisted Payment solution strips out all sensitive information altogether, leaving the audio behind. This not only meets FCA regulations by allowing the entire call to be recorded, but organisations can stay PCI compliant, dramatically improve their corporate security and customer trust.

Implementing DTMF and Twin Clamp Technology

Talk to Key IVR and let us help you reduce serious security risks within your Contact center with our PCI-DSS-compliant solutions. We work with you to design a solution that tackles your individual business challenges.

Find out more about our Contact Centre or Agent Assisted Payments services.

Contact us on +1 888 765 3109 or email sales@keyivr.com

Need help with DTMF masking?

Submit your details and a payment specialist will be in touch.

We can offer support and guidance to de-scoping your organisation from PCI and achieving compliance.

Mark Kelly

Chief Commercial Officer (CCO) (UK) & VP International Sales (US)