It is now more than a decade since version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS) was released and significant advances have been made in securing cardholder data throughout the transaction process. Designed to ensure that merchants met minimum levels of security when storing, processing and transmitting cardholder data, we have seen the standard grow to achieve global adoption. Today, at v3.0, it is even more critical to the protection of card payments.
Over the years, three approaches to PCI compliance have come to dominate the market: tokenisation, point-to-point encryption (P2PE) and EMV (Europay, MasterCard and Visa). Both tokenisation and P2PE have proved to be powerful ways of securing data, while EMV has established an essential global standard for the interoperability of chip cards. However in one sector these advances in security are not effective; the problem remains of how to secure card payments made over the phone to a call centre.
Call centres are generally complex, systems-rich environments with large numbers of employees and high staff turnover. Every element, including the technology, people and the building itself, must be secured if card data is present in order to meet the requirements of PCI DSS. Card numbers entering through the telephone system – and therefore entering into the IT infrastructure of the contact centre – require a significant effort in terms of numerous checks and controls that must be applied in order to achieve PCI DSS compliance. This increases even more if local law requires the call to be recorded. Efforts to avoid the accidental capture of card details by recording equipment are not always successful, especially if the operator is required to manually undertake activities to avoid the capture of cardholder data.
A technique known as ‘DTMF masking" has been gaining momentum in the UK and is already beginning to see adoption further afield. DTMF – or Dual Tone Multi-Frequency masking – enables customers to enter their own card details via the telephone keypad, transmitting them directly to the bank and bypassing the contact centre completely. This approach can significantly reduce the PCI DSS scope for the contact centre as no card data enters the infrastructure, so compliance controls are greatly reduced.
The tones made by the keypad are concealed so that the customer service representative cannot identify them by their sound. This means that the conversation with the customer can continue uninterrupted and the agent can help with any difficulties as they arise.
It has been a common assumption that telephone payments would die out as more customers shop online, but this has proved to be completely false. The rise of Internet shopping has been accompanied by a corresponding rise in communication with call centres, including web chatting, email and also voice calls, all of which allow companies to offer a more personalised service and to generate higher average sales.
It is essential that call centres adopt and implement the PCI DSS in order to protect the cardholder data they are receiving. Ensuring proper levels of protection of these call centres while still providing a pleasant work environment for staff remains a significant challenge, but DTMF masking can provide an effective and powerful method of achieving this.
By Jeremy King, International Director, PCI Security Standards Council, and Tim Critchley, CEO, Semafone