PCI DSS compliance in contact centres via DTMF hiding

20 January 2021

Every contact centre that is currently processing payments is acquainted with The Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is the gold standard for organizations that handle credit card payments, in order to avoid credit card fraud. The Security Standards Council (SSC) has been formed to accomplish all the individual policies of card companies (Visa, MasterCard, American Express, Discover and JCB) and build a joint criterion. The version v1.0 was released in 2004 and currently, we are in the version 3.2.1.

The main control objectives are:
– Build and Maintain a Secure Network and Systems
– Protect Cardholder Data
– Maintain a Vulnerability Management Program
– Implement Strong Access Control Measures
– Regularly Monitor and Test Networks
– Maintain an Information Security Policy

PCI and voice networks

Even though the most common way to look at this issue in terms of firewalls and system management, it has some deep implications for voice networks. Overlooking the risk and impact of data breaches cannot be overstated. Companies need to consider not only direct costs such as legal fees or customer compensations but also costs like brand reputation and trust loss which also means tangible financial implications like customers using other payment systems.

It is remarkable that according to industry studies, when customers were asked how they paid the last time they bought through the phone, a whopping 46% of respondents answered that they were asked to read their card details out loud. This sort of approach brings high risk to data breaches, not only the agent has access to this information but also if the calls are being recorded, a hacker accessing the system would have access to this information as well.

Whether there are many options to tackle the issue of compliance such as having network segmentation, pausing recording when the customer is providing card details or having specific teams processing payments; all these solutions bring a high cost in terms of implementation and require organisational and technological changes. Due to this, companies are looking into carrying this risk outside their boundaries and one of the solutions that contact centres are adopting nowadays is the usage of DTMF tones to deliver information to IVR. Oftentimes, in order to make fast payments (typically in voice call for recovering debts), tones are used to submit card numbers. These tones must be managed by the payments gateway, but hidden to the agent of the contact centre so there is an effective reduction of data breach risk.

This approach helps to tackle two of the PCI requirements that affect payments over voice systems:

  • Requirement 4. Encrypting transmission of cardholder data over open, public networks. Strong encryption, including using only trusted keys and certifications reduces the risk of being targeted by malicious individuals through hacking.
  • Requirement 7. Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a “need to know” basis.

DTMF hiding and compliance process

Another high cost that was not mentioned before are the compliance costs, these translate mainly into auditing costs and administrative procedures of complex regulation. It is true that these costs do not affect all actors the same way as the level of compliance depends on the number of annual transactions, from level 1 (over 6 million per year) to level 4 (less than 20.000 transactions per year). Yet the costs Compliance validation that involves the confirmation that the security procedures have been implemented are still there and become higher when companies keep data inside their walls.

There are a few recommendations that can help companies in this situation lower their costs and comply in an easier way with the PCI mainly contact centres can use the following when designing their payment processing procedure:

  • DTMF masking as a way of descoping and reducing breach risks: pause and resume might seem like a valid and cheap solution but the reality is that the agent still hears the financial information of the customer. This means that there is still one risk point in the chain as inside data breach; also, customers are usually reluctant to provide their banking details to some other person.
  • Keep data outside your data centres when possible: the more data companies gather and store the higher risk of a large scope of data loss, this translates into higher requirements of compliance not only with PCI but also with other regulation such as GDPR in Europe.

Quobis solution for service compliance by using DTMF hiding

For these reasons, Quobis helps companies to implement the right element to be compliant with the current regulation whilst lowering breach risks. The architecture is based on the usage of Session Border Controllers or Media Servers that remove the compromised tones in the agent’s leg while being delivered to the payment gateway. Tones can be directly removed or substituted by others removing the agent from the equation of having access to the information that the customer is sending.

Service Compliance & DTMF hiding
Service Compliance & DTMF hiding

Drop us a few lines

We will get back to you immediately