28th November 2018
DTMF masking is the new PCI DSS gold standard for protecting telephone-based payment card data, reveals Syntec’s research
Supported by the global PCI Security Standards Council’s new guidelines
Syntec’s latest update of its PCI DSS* tracking research, conducted since 2012, shows that
- consumers are increasingly concerned about payment card data security when paying over the phone
- expert advice is also moving away from recommending the use of mitigating controls such as ‘pause and resume’ (stop/start call recordings) towards the emerging new standard of DTMF masking or ‘keypad payment by phone’.
Syntec surveyed 750 consumers in the UK, USA and Australia in 2018 and conducted in depth interviews with a variety of card payment experts including from client companies, payment services providers, consultants and QSAs. The survey reveals a significant rise in consumer concern about payment security in contact centers. 63% of consumers now say that there have been times when they have not bought something due to concern about payment card security when paying over the phone, a rise of almost 20% since 2016. 31% of consumers now say that they never make payments by phone, up from 19% in 2016.
Consumers clearly feel that the responsibility for ensuring that their details are secure lies with contact center managers. When asked whether call center managers should do more to prevent credit and debit card fraud, 80% agreed. The same number feel that organizations should not be allowed to keep payment card details in their databases.
So what is consumers’ preferred option for how organizations should best avoid fraud in contact centers? The most popular answer is DTMF masking **. When asked how organizations should best avoid fraud in contact centers, “using secure technology to hide the card details from both the call center agent and the call recording” was the most popular response by a significant margin, selected by 42% of respondents.
This aligns with the views of the payment security experts and client organizations. interviewed as part of this research. All the client organizations interviewed were looking for technical solutions to help them de-scope from PCI DSS. The view amongst the PCI assessors and security experts interviewed is that whilst mitigating controls can be useful in reducing risk, the best option for organizations is to de-scope entirely by creating a ‘no card data environment’ – and that DTMF masking (or DTMF clamping) is a very successful way of achieving this. Syntec’s updated research suggests that client organizations are now catching up with this view too. John Greenwood, Executive Director, Compliance 3 and one of the industry experts interviewed says, “If [an organization’s] strategy is designed to reduce the overall time, cost and effort in maintaining PCI DSS compliance, then that strategy should be to avoid establishing a card data environment in the first place.”
The consensus is that call centers should no longer ask consumers to read their card numbers out, but to enter them on the keypad of their own phone, to be for transmitted by the DTMF touchtones (the same way as phone numbers are dialed). “Reading your card numbers out is not an efficient way of doing things, nor is it secure.” says Kevin Dowd, ex- Chairman of the CNS Group, “In almost all instances, there is absolutely no need for a company to even see credit card data that’s going to bring them into PCI scope. DTMF is the solution for telephone payments. If I were running a call center that’s how I would do it.”
The PCI Security Standards Council has just issued new guidelines for PCI DSS compliance in contact centers entitled ‘Protecting Telephone-Based Payment Card Data’, updating them for the first time since 2011. DTMF masking is highlighted in these new guidelines too:
“A properly designed and deployed DTMF masking solution can take not only the telephony environment, but also the agent environment and CRM system out of scope”.
Colin Westlake, Syntec’s Managing Director commented “DTMF technology such as our patented CardEasy ‘keypad payment by phone’ system has now come of age both for attended payments on the phone with call center agents and unattended customer self-service payments using IVR, as well as keeping card data out of call recordings and de-scoping the contact center environment from PCI DSS. As the contact center is a prime target for hackers and data breaches, it’s good to see this endorsement of DTMF masking in this latest Syntec international research survey as well as the new PCI SSC guidelines”.
The free Syntec research White Paper with this year’s survey results also includes further tips and recommendations for Contact Center leaders and can be downloaded at http://www.syntec.co.uk/product/pci-dss-in-contact-centers/
The PCI SSC guidance for protecting telephone-based card data is available at
You can download a PDF version of this press release here.
Notes for editors
*PCI DSS = Payment Card Industry Data Security Standards (regulations)
** DTMF = Dual Tone Multi-Frequency (touchtones);
‘Masking’ or ‘Clamping’ DTMF = suppression of tones so card numbers can’t be deciphered
Founded in 1998, Syntec is an independent UK network operator providing a range of managed services to contact centers across a variety of sectors in the UK and worldwide. Syntec is a PCI DSS level 1 Visa Merchant Agent & Mastercard Service Provider and participating organization of the global PCI Security Standards Council (PCI SSC).
Press Contact: Simon Beeching email@example.com +44 (0)7973 384496