DTMF Masking for PCI DSS Compliance Initiatives

Dual-tone Multi-Frequency (DTMF) masking is quickly becoming the contact center industry standard to securely capture and mask sensitive cardholder data during agent assisted payment transactions.  DTMF technology enables contact centers to eliminate challenges associated with verbally collecting credit card data from a customer over the telephone.    

Contact Center use of DTMF Masking

In the contact center, DTMF masking is a technology that allows customers to provide their credit card number during an agent assisted call using their telephone keypad.  Personally Identifiable Information (PII) such as a credit card number, Social Security Number, date of birth, and PIN can all be entered securely through the phone system.  With DTMF technology, customers enter information on their telephone keypad in lieu of verbalizing the information to the call center agent.   

In addition to providing customers a sense of security not having to verbalize their sensitive information, DTMF masking technology also allows the customer and agent to remain connected through the entire call process leading to increased customer satisfaction and lower call handling times.  

DTMF Masking and PCI DSS Compliance

We are all aware of the 12 PCI DSS security standards that any entity involved in accepting, transmitting, or storing cardholder data must adhere to,  but how can DTMF masking technology aid call centers with PCI DSS compliance and descoping efforts?  DTMF masking applies specifically to PCI DSS standard three; Protecting Cardholder Data.    In the contact center environment DTMF masking makes it possible to:

  • Reduce amount of systems sensitive data traverses in the network
  • Remove agent workstations from PCI scope as sensitive cardholder data is neither captured on nor recorded from an agent’s desktop
  • Minimize risk by eliminating the need for “pause and resume” and scrubbing recordings
  • Allow for complete call recording for quality control purposes as cardholder data is not verbally captured

The power of DTMF masking in agent assisted payment transactions is that the sensitive cardholder data is not seen, heard, nor recorded; effectively protecting cardholder data and assisting with PCI DSS compliance initiatives. 

It is important to note that the use of DTMF masking technology alone won’t make a contact center PCI DSS compliant.  However, use of a PA-DSS application implemented into a PCI DSS compliant environment will aid the PCI Qualified Security Accessor (QSA) in their PCI Compliance Assessment.

iGuard® by IntraNext is a PCI Council PA-DSS validated security software application for contact centers that utilizes DTMF masking technology, and IntraNext is a PCI SSC Qualified Integrator and Reseller (QIR) company.  A full list of PCI validated payment applications can be found on the PCI Security Standards Council website.  Contact sales@intranext.com for additional information.