Support
Phone Payments

What is DTMF masking and how can it support remote staff in maintaining compliance?

If you take payments over the telephone and also continue to have some staff working from home, then read on. When did you last check that you have a suitable solution in place to ensure PCI compliance?

Business Advice FAQs

Posted 28/11/2023

Many businesses had to put temporary solutions in place during the pandemic, however now, with home working clearly set to continue, it’s important to ensure your systems remain robust enough. If not, your company is at risk of rogue agent attack, cyber crime, data breaches, reputational damage and significant fines.  

Having key staff working from home is now the norm for many businesses. The speedy introduction of digital solutions during the pandemic facilitated a step change in how large numbers of companies chose to operate, especially in the all-important customer payments arena.  

Unfortunately, those sweeping changes also meant that some also found themselves on the wrong side of the law regarding the process of accepting payments over the phone. The Payment Card Industry Data Security Standard (PCI DSS) sets clear parameters for how companies should protect their business, employees and customers, and comply with their legal obligations. One crucial area covers the practicalities of maintaining security for telephone-based card payment processing. This is where DTMF masking software can make all the difference.  

What is DTMF and why is it an issue? 

DTMF stands for ‘dual-tone multi-frequency’ and refers to the signals or ‘beeps’ generated when a user presses individual buttons on their telephone keypad. These tones are emitted as dual frequency (one high, one low) which was a measure put in place to try and prevent voice imitation. Unfortunately, hacking software is now used by fraudsters to decode these signals and subsequently steal valuable card data. 

Of course, security procedures such as company-provided hardware with up-to-date firewalls and dual authentication measures do go some way to protect sensitive data and meet PCI responsibilities. But the most effective way to ensure that your employees can’t be compromised is to remove their exposure to the information cyber criminals are actually seeking. With the right DTMF masking solution in place, your home-based employees can continue to efficiently and effectively support your customers with making phone payments without ever having to see, hear, or have access to the specifics of each customer’s individual payment data.  

How can a DTMF masking solution help your business? 

With DTMF masking software in place, the solution is simple. As the customer on the line enters their card payment details, the supressing software either removes the DTMF tones, or, as with DTMF masking, the tones are replaced by either a random tone or a flat tone. This ensures that even if calls are recorded and hacked, the signals can never be decoded – effectively removing the threat of malicious attacks by criminals or rogue agents. 

Customers input their card information using their telephone keypad when prompted and the information is automatically transmitted to the Payment Service Provider (PSP) for authorisation. No cardholder data is exposed to the agent; it also bypasses your environment entirely. All of this means that the scope of PCI DSS (and therefore your company risk) is vastly reduced. 

And that means that your employee can focus on providing customer support as needed. For example, they can stay on the line with the customer whilst they are making their payment, provide verbal support if required, and monitor the customer’s progress using a desktop application. Here the agent will only see asterisks as the payment details are entered. This ensures a compliant and secure environment to process card payments, but still delivers a supportive and seamless customer experience. 

What are the benefits of DTMF masking? 

Without appropriate segmentation, the merging of voice and data systems puts your wider infrastructure into PCI DSS scope – and that can include your employee’s working environment. However, a properly designed and deployed DTMF masking or suppression solution takes the telephony environment, the agent environment, and the CRM system out of PCI scope. All of this reduces your business risk.  

Your employees will have confidence in DTMF masking software too because if they know that if card payment data is somehow be breached from elsewhere within the organisation, fingers will never be pointed in their direction as they don’t have any access to the data.