Solutions to make credit card payments PCI DSS Compliant DTMF VS the Rest

“I’ll pause the recording while you give me your card details”. It’s a bit disconcerting. But, of course, we know that the call is being recorded. We’re told that ad nauseam every time we call a contact centre. We might even have given our card details without a second thought, but that mention of recording wakes the inner security guard.

What if they don’t pause it? How often have I given my card details and not been told about pausing the recording?

Fortunately, this apprehension will become less frequent as organisations increasingly comply with PCI DSS. The regulation outlines the rules that must be followed whenever card payments are taken inside a contact centre. Here we look at the PCI DSS requirements and the technologies and procedures organisations can implement to achieve compliance.

PCI DSS requirements

The Payment Card Industry Data Security Standard (PCI DSS) stipulates requirements over various areas, such as network security, data protection and access control. Its purpose is to protect cardholder data, requiring the organisation that receives the payment to implement appropriate controls.

Any organisation that receives card payments, including payments made by telephone, is subject to PCI DSS rules. When a contact centre handles card payments, there are specific rules that they must follow:

– To demonstrate that the contact centre complies with over 400 security controls

– To ensure that authentication data (specifically the 3-digit CVC2/CVV2 security code) is not saved in the call recording or any format anywhere

– To carry out background checks on new employees in the contact centre

– To ensure that nobody can remove data from the contact centre. Typically this requires a ban on mobile phones and restricting the use of paper

The Payment Card Industry Security Standards Council (PCI SSC) has recognised a particular technology, DTMF, as providing a comprehensive solution to the requirements. Organisations implementing DTMF will face fewer compliance measures inside the contact centre.

Dual-Tone Multi-Frequency (DTMF) masking

DTMF solutions are implemented to handle pressing keys on a telephone keypad (or the simulated presses on a smartphone screen). A signal is sent alongside the voice data each time a key is pressed. The signal is intercepted and converted into a data packet sent to the call destination.

DTMF solutions, also known as DTMF suppression or masking, are an ideal answer to PCI DSS requirements. Rather than the cardholder reading out their card details, they

press the digits on their telephone keypad. As a result, the operator does not hear the number and sees it only as masked digits on their screen.

The cardholder’s data is not recorded or stored within the contact centre. Instead, the card details are passed through to the payment service provider (PSP), and the transaction is completed in real-time. The operator can stay on the call to help the customer, for example, if an invalid card number is entered.

Alternative solutions

Historically, four alternative methods evolved for handling card data over the telephone, each with risks.

Pause and resume

In this solution, the operator informs the cardholder that they will pause the recording while taking the card details. It complies with the PCI DSS requirement, as card details will not be stored as part of the call recording. However, the remainder of the requirements must still be satisfied.

The contact centre must implement appropriate controls:

– To ensure that cardholder data is not recorded due to human error. How?

– To safeguard the data (the operator will now know the card number and security code)

– To protect all the points that the card data touches, such as the VoIP system

Encryption

Encryption would seem to offer a solution, as it prevents eavesdropping on the call. However, it’s not straightforward to manage encryption keys on the call. Further, it does not comply with the requirement of storing data. Therefore, the security code must never be stored, even if it is encrypted.

Clean room contact centre

Here, operators are supervised extensively, with no email or internet access, no devices and no pens and paper. They are scanned as they enter the clean room to check for devices and must remove coats and bags. The net effect is to reduce team morale resulting in a high staff turnover.

Automated IVR

The organisation can manage payments separately from contact centre operations by using an automated Interactive Voice Response (IVR) system. Payments can be made using voice recognition or a telephone keypad, probably using a 3rd party solution.

However, problems can occur when the call is routed to the automated system, resulting in a customer dropping out of the call and the loss of a sale.

DTMF versus the rest

The PCI SSC recognises DTMF solutions as a comprehensive answer to PCI DSS requirements. The call does not have to be re-routed to an automated IVR. Instead, the operator can stay on the call and assist, improving the customer experience.

DTMF will result in fewer controls and oversight, empowering the operator and reducing the time and cost spent on compliance. In addition, it will end the phrase “I’ll just pause the recording”.

If you are looking for a way to make your credit card payments PCI DSS compliant, look no further than Gradeon. Our experts can help you to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). We have years of experience helping businesses like yours protect their customers’ data and secure their transactions. Contact us today to learn more about how we can help you make your business payments PCI DSS compliant.