6 steps to card payment security in call centers

  • Payment card data is no longer seen, heard or stored in contact centres & call recordings
  • Improves customer experience & call handling times
  • Flexible on-premise & cloud deployment options
  • NEW CardEasy Digital facilitates secure omni-channel payments for e-mail, SMS, webchat, WhatsApp, video calls, chatbots and social media using secure links and QR codes

Voice channel

Syntec’s patented CardEasy system lets your customers enter their card numbers using the touchtone keypad of their own phone, mid-call in conversation with the agent or using customer self-service autopay (IVR). This technology is called ‘DTMF masking’ as the dual tone multi frequency tones are suppressed, so as not to be fully audible or visible.

This de-scopes your call centre and call recordings from PCI DSS, reducing the risk and costs associated with managing card payments in your contact centre, whilst improving customer trust, call handling times and lost transaction rates.

Watch our demo to see how CardEasy works.

CardEasy enables you to fully comply with PCI DSS as follows:

  • Your agents will not be exposed to callers’ sensitive card numbers
  • Card numbers will not be stored in your call recordings or captured in screen recordings
  • As the sensitive card numbers do not enter your contact centre or network, this de-scopes this environment almost completely from PCI DSS regulations and audit requirements
  • Your agents can talk to the caller throughout to control the call and transaction

  • CardEasy also offers a customer self-service autopay option (IVR) for 24/7 service and when no agent assistance is required (such as balances payable, utility bills, charity donations and subscriptions)

  • CardEasy helps GDPR compliance by avoiding capture and storage of the card data.

Note on ‘pause and resume’ (‘stop/start’) for call recording: this partial solution can still leave agents exposed to card data, whilst the the contact centre remains in scope of PCI DSS regulations and exposed to the risk of fraud.

CardEasy live video demo

How does CardEasy work?

  1. A caller wishes to pay by card over the phone
  2. The contact centre agent initiates a request for card authorisation in mid-conversation with the caller
  3. The caller is prompted to enter their card number via their telephone keypad (DTMF/ dual tone multi frequency touchtones, which are masked)
  4. Audio from the agent to the caller remains open throughout
  5. Audio from the caller to the agent is cut briefly while they enter the middle six digits of their long card number (PAN) and CV2 on their phone keypad, to ensure that the agent (and call recording) cannot be exposed to the card numbers even if the caller reads out the numbers whilst entering them
  6. The complete call can be recorded but the sensitive DTMF tones are masked from the recording as well
  7. The agent is alerted via their screen when payment has been authorised
  8. Tokenisation, BIN look-up, recurring & multiple payments and multiple currencies are all supported.

Taking payment using CardEasy

What's in scope before and after using CardEasy?

What’s in scope before and after using CardEasy?

  • PCI DSS has 12 main requirements. Within those requirements are various ”controls” that relate to the requirement title
    • Red crosses show where controls need to be put in place by the merchant to achieve compliance (assuming no controls at present)
    • Green ticks show where CardEasy removes the need for such controls for MOTO payments as it largely de-scopes your call/contact centre environment from PCIDSS

  • Legacy pause & resume solutions only resolve a handful of controls as they only de-scope the call recorder.
  • From a PCI DSS perspective, using the CardEasy cloud offers you has the greatest control reduction opportunity.
  • For merchants processing less than 6 million transactions a year, choosing CardEasy cloud solutions can allow for SAQ-A compliance, requiring only requirement 12 to be completed.

The following technical diagram illustrates what’s typically in scope of PCI controls before and after deploying CardEasy (the red shaded areas are in scope).

Cost-effective compliance

Cost-effective compliance

Using CardEasy saves you time and money by taking your call centre operations out of scope from PCI DSS controls, whilst removing the need for time consuming oversight and PCI audits. Set up costs are low and ongoing managed service costs are ‘per agent’ or ‘per channel’ depending on your organisation’s requirements, so can be linked directly with your channel/agent utilisation.

Deployment options

Deployment and integration

Hosted, on-premise or cloud-based?

CardEasy offers you three deployment models:

  • Network hosted: involves routing your call traffic via the Syntec voice network in order to access our CardEasy hosted environment (options include new numbers, number porting and call forwarding via ISDN or SIP)
  • On-premise for ISDN or SIP: involves CardEasy hardware which is normally located within the merchant’s data centre. Supports ISDN and/or SIP from any provider globally.
  • Cloud: prevents the need for call traffic to route via the Syntec voice network or any on-premise hardware. This deployment model is ideal for customers using SIP channels, or a wholesale solution.

All CardEasy deployment models use the CardEasy cloud for connections to the various payment services providers (PSPs). The on-premise model supports all ISDN and SIP providers globally. The cloud model will depend on the nature of your SIP environment.

In the case of the on-premise deployment model, CardEasy hardware is located on the customer’s premises installed between the ISDN/SIP lines and the telephone system.  All inbound and outbound calls are routed via the CardEasy hardware which acts as a DTMF capture device. Unlike other premise-based DTMF solutions, CardEasy has no requirement for hardware to be attached to agents’ phones or PCs.

The CardEasy hardware captures the PAN and CV2 entered by the customer using their telephone keypad, with the agent remaining in conversation with the customer throughout.  This data is conveyed to the CardEasy cloud over a secure connection, where it is processed before forwarding to the PSP for authorisation, returning the result to the agent (and back office systems if required) in real-time.

CardEasy is provided as a fully managed service by Syntec, a PCI DSS Level 1 service provider, offering you full PCI DSS de-scoping for your call centre environment.

Integration options

Easy integration with PSPs, telephony and back office systems

CardEasy is already integrated with a large number of leading payment services providers (PSPs) and tokenisers (TSPs) (see our partners page for a full list) and can easily be integrated with others.

CardEasy will work with any telephony system (on-premise or cloud-based) and Syntec is an Avaya DevConnect technology partner; Genesys Appfoundry partner; Cisco preferred solution partner; and a Mitel Solutions Alliance member.

CardEasy is agnostic to phone system make and model. It will work with any ISDN or SIP provider globally and with any payment gateway and/or tokenisation service provider.

Agent control integration options include a virtual terminal launched by your business system (e.g. CRM, reservation/booking/sales system) which may be used to replace hosted payment pages; a SOAP API; a JavaScript library for use in web applications; a .NET API for use in thick clients; and pre-built desktop clients which can be used with legacy green screen terminal emulators.  

CardEasy speech recognition (ASR)

CardEasy speech recognition

Merchants are sensitive to the need for callers to be able to make payment by whichever means preferable or comfortable for the customer, even if they may have a disability which makes use of their phone handset difficult for DTMF touchtone entry of their payment card numbers.

To cater for this small but important minority of users, Syntec offers an automated speech recognition option with CardEasy, so that everyone can use the service to make payments, whilst maintaining PCI DSS compliance at all times. This service is used by a number of Syntec clients including a major financial group who have been using it for a number of years.

CardEasy Speech Recognition keeps the caller on the line when they are invited by the agent or IVR system to speak their card numbers out (instead of entering them using their phone keypad as usual with CardEasy). Speech is muted however whilst this is in progress, so that the agent and call recordings cannot pick up the card numbers. The spoken numbers are converted to text to allow for verification by CardEasy and then transmission to the Payment Service Provider (PSP) for authorisation.

Controls ensure that if the caller has any trouble whilst the call is muted whilst they read out their card numbers, then the call is reconnected with the agent to give further assistance. So when you de-scope your contact centre with CardEasy, all your customers are catered for, even if they cannot use the more usual ‘keypad payment by phone’ technology.

Syntec is the managed service provider

About Syntec – the service provider behind CardEasy

CardEasy is Syntec’s proprietary and patented system. Syntec is a PCI DSS level 1 Visa Merchant Agent and Mastercard Service Provider and is a participating member organization of the global PCI Security Standards Council.

What our customers say

What our customers say

Overall we’re very happy with CardEasy. We need systems that support our high quality customer service ethos and meet our commercial requirements and in our case, CardEasy matches those needs and does exactly what it promised.

We chose Syntec because they had the solution that we needed to de-scope our live contact centre agent and IVR environment. Syntec was the only vendor that provided the flexibility to integrate with our home-grown systems because their system can be cloud-based, with no requirement to change any of our existing IT.

“CardEasy ‘keypad payment by phone’ was the perfect fit to resolve the PCI compliance and data security needs in Staples’ major call centres in Europe. This was because of its ease of use mid-call, the breadth of PCI DSS issues it resolves in one go,  the flexibility of integration with all our differing systems and the ability for them to meet our tokenisation requirements”

We wanted to further enhance data security in our call centre and decided to use Syntec’s secure phone keypad payment (DTMF), as it’s important to our customers that our payment solution is safe and easy to use.

CardEasy works just as effectively for callers in the USA, Germany and Australia as in the UK.

The CardEasy solution easily de-scopes us from PCI DSS compliance and mitigates the risk of any internal fraud. The platform is scalable and easy to use…along with the confidence we have in Syntec who have been instrumental in a smooth implementation, guiding us and offering insight.

We have been impressed by the flexibility, ease of integration and support of the CardEasy system, as well as its PCI DSS security to protect in-house operations and our outsourced service providers in the USA and EMEA.

Miele selected Syntec’s pioneering, hosted CardEasy system to enrich customer service whilst de-scoping us from large sections of PCI DSS regulations, which otherwise require significant cost and effort to satisfy.


What makes Syntec’s CardEasy payment service stand out is that to customers it is so much more secure.

What our partners say

What our partners say

Worldpay is a recognised leader in security and risk. Our joint proposition with Syntec offers a secure transaction service while removing the need for call centres to have onerous annual PCI audits.

DTMF touchtone card payment in call centres is the new industry standard for PCI DSS-compliant MOTO payments by phone & call recording.  Our integration and strategic partnership with Syntec’s CardEasy system lets merchants satisfy all the key PCI controls in this environment with just one solution.  It is also better trusted by customers than having to read their card numbers out, whilst also improving the customer/agent experience and reducing call handling times.

Realex is delighted to be partnering with Syntec’s CardEasy ‘keypad payment by phone’ technology, which is fully integrated with the Realex payment gateway. This enables our customers to de-scope call centres, outsourcers and home-workers from PCI-DSS regulations and audits, whilst providing seamless and secure MOTO transactions.

Ingenico ePayments is integrated with Syntec’s CardEasy ‘keypad payment by phone’ system to keep the card data out of the contact centre environment altogether, thus taking you out of scope of PCI DSS controls without compromising customer experience.