Secure telephone payments and reduce PCI DSS scope through DTMF payment technology. 

Gary Glover, SecurityMetrics
By: Gary Glover
Did you know call center security awareness training isn’t enough to meet all your PCI DSS obligations? Don’t get me wrong, security awareness training is a vital part of contact center compliance. But simply training employees doesn’t fulfill specific responsibilities, including a key aspect in requirement 3.2, which states, “Do not store sensitive authentication data after authorization (even if encrypted).”

Merchants must ensure sensitive authentication data is not stored in any form after authorization. The part that may trip up a contact center is the thousands of hours of call recordings that include payment information verbalized by both customers and agents over the phone.

PCI DSS 3Call center providers are required to secure payment data not only within recorded calls, but also in the physical environment. Call center agents regularly exposed to card data have the ability to write down payment data and use it for fraudulent purposes. Typically these situations are addressed in security awareness training, but no amount of training will stop employees with malicious intent.

It’s easy to see the processes employed by many contact centers aren’t adequately securing payment information . . . and therefore can’t claim PCI DSS compliance. So what’s a call center to do?

SEE ALSO: PCI Council Security Awareness Guidance

Security Priority: Descope Your Call Center

Consider this: by descoping your contact center, you can radically reduce your PCI DSS requirements and significantly boost your security.

Descoping reduces the number of requirements it takes to become PCI DSS compliant. Merchants can accomplish this by decreasing the instances of payment card information storage, transmission, and processing in their environments.

When discussing contact center compliance and descoping, it’s appropriate to follow a risk-based approach.
Where are a call center’s greatest risks to payment card storage and transmission?
Cam Ross, Director of Payments Strategy at Eckoh recommends the evaluation of risk in the following areas:
  1. Call recordings
  2. Agents exposed to card data
  3. Card data transmitted through agent computers
  4. Contact center phone system
The good news for call center providers is, you don’t have to start from scratch to remove all instances of card data from recordings, agents, phone systems, and computers. There are easy-to-implement technologies available to help you in this scope reduction process.

As Ross says, “A full descoping solution does not need to mean a massive change in your business. In other words, some solutions on the market allow your contact center agents to continue doing exactly the same job they do today, without change to the customer experience or internal systems.”

Contact Center Compliance Options for PCI DSS 3

The Old Way: Pause-and-Resume Software
Pause-and-resume software (or mute/unmute software) recognizes when agents go to a payment screen and pauses the recording of the call. Some solutions simply provide a button agents can push to stop the phone from recording. Here’s the problem: this technology is 10 years old and has some critical flaws:
  • It still exposes call center agents to card data, which means agents are still in scope.
  • The technology is extremely complicated to set up and integrate.
  • The technology doesn’t always turn on and off at the correct times, and agents can forget to press the button. Some calls and subsequent recordings might have card data, and others will blank out entirely.
As you can see, pause-and-resume software has not proven to be successful at reducing risk and completely descoping a call center.
The New Way: Phone Payments Through DTMF Masking
Keypad payment-by-phone technology allows consumers to punch credit card details into their phone instead of verbally giving them to the agent. This means agents don’t see or hear customer card details.

How does it work? Simple. Mid-call, the agent asks the customer to enter card details using the keypad on their phone. When you type on a phone keypad, you generate a sound known as a dual tone multiple frequency (DTMF). Each number on your phone is assigned a unique DTMF. So, if a hacker or the agent on the call were able to record these sounds, they would still be able to decipher credit card numbers. Clearly, security wise, that’s not good enough.

That’s where touchtone masking technology comes in. It masks the tones so they all sound exactly the same. Recordings are sanitized, and the agent can’t decipher the monotone frequency. Because of this technology, even if an attacker gained access to the contact center’s phone system, databases, and recordings, there’s no data for them to steal.

Touchtone masking technology can descope the entire call center by removing card data entirely from the environment.
  • Call recordings no longer record card data.
  • Agents are no longer exposed to card data.
  • Card data is no longer transmitted through agent computers.
  • The contact center phone system doesn’t transmit card data.
How payments are processed after the customer inputs the payment data depends on which solution provider and technology you implement. I’ll use Eckoh’s two DTMF solutions to illustrate what happens to the customer’s card data:
  • Eckoh collects the credit card information from the customer via secure touchtone and authorizes the transaction on the call center’s behalf. As soon as data is authorized, no card data is retained in the Eckoh systems.
  • In another method, Eckoh tokenizes a representation of the customer’s credit card number as they enter it into their phone, which is then relayed to the contact center. When the contact center is ready to process the transaction, the transaction is proxied via Eckoh’s data center to the processor, in which Eckoh switches the token back to the real card number.

Pros of using DTMF for PCI DSS 3

contact center complianceBesides the obvious data security and PCI DSS benefits, here are some additional positives of implementing DTMF in a call center environment.

Increased Customer Trust
Universally, people are comfortable giving card details via DTMF. It’s evident call center agents don’t see sensitive data when they ask a customer to type it in their keypad instead of verbalizing.

According to Ross, even the elderly feel safer. “Eckoh has a client in the U.S. with many hundreds of thousands of life insurance customers, most over the age of 65,” says Ross. “Consistently we get terrific reports of customer service because they know their credit card information is being kept secure.”

DTMF has another consumer benefit. Customers on the other end of the call don’t need to read their credit card information aloud in public environments like the train or the office, potentially exposing private information.

Available for All Shapes and Sizes
DTMF technology doesn’t just work in large call centers. It can be implemented in any environment. After all, PCI DSS 3 requirements apply to mom and pop shops the same way as they would a multi-million dollar call center.

There are many instances where DTMF solutions have been adopted by franchises. For example, Ross says Eckoh’s secure call payments solution works equally well in practice for a large company with many hundreds of individual stores. Each store acts as a franchise but is quite tiny. Although there are many hundreds of stores in the chain, the calls all transmit through a single platform.

Reduces Future Attacks
A fundamental change in the card payment industry will significantly increase risks for call center providers in the future. With the adoption of EMV payments worldwide, the existing card present fraud market is drying up. Smart criminals are refocusing on the cardholder not present channel.

According to Ross, in recent PCI Community Meetings, the key message from the PCI Council has been “increased activity in card-not-present fraud”, especially due to U.S. card present transactions recently becoming more secured through EMV technology.

Cons of using DTMF for PCI DSS 3

Like all technology, it might break
DTMF is no different than any other system, and merchants must think of the implications if it stops working.

When merchants are interested in implementing DTMF technology, they must ask themselves: If the system fails, what is my disaster recovery plan? What impact will it have on my PCI DSS scope?

In general, approaches to system breakages involve having a failsafe mode. The failsafe could be as simple as routing payments through a different platform rather than the one they use until the problem with DTMF can be fixed.

Not all DTMF solutions are created equal
Keep in mind that not all DTMF solutions may descope a whole call center. For example if a DTMF solution isn’t integrated directly with a payment gateway outside the customers’ call center network, call center computers could still be in scope since they receive and transmit primary account numbers (PAN) that isn’t visible or hearable by employees.

Make sure you know where the actual digitized data goes after the DTMF process. If it still goes through the service provider systems, there’s no scope reduction.

Contact Center Compliance

Implementing a DTMF solution is a no-brainer for call centers, and any other organization looking to reduce PCI DSS workload and costs, while simultaneously exponentially increasing data security.

Need a PCI DSS auditor who respects your deadlines?

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

how to prepare for a pci audit