What is DTMF? Is it widespread?

DTMF stands for “Dual Tone, Multi-Frequency”. It’s a universal standard for sending digits (and some other characters) over the phone.  DTMF is built into every modern telephone - home, office or mobile.

Why take sensitive data from customers using DTMF?

Because it’s much more secure, and gives customers more confidence that their data is being protected.

Also, taking card details by DTMF can decrease your average call handling time (AHT), as agents do not ‘read back’ a customer’s card details to them (i.e. since they can’t see the card details, they can’t say “1234 (pause) 1234 (pause)” etc. after each series of digits the customer reads to them.

The possibility of errors occurring is also reduced as there is only one phase of data entry:

• without DTMF:  the customer reads out the data and the agent types it in (two chances for error)
• with DTMF: the customer types in the data (one chance for error).

Why are DTMF card details more secure than spoken card details?

Sending sensitive data such as credit card numbers as DTMF has a clear security advantage: DTMF can’t be easily understood by humans, but it is very easily detectable by phone systems or computers.

Therefore, sensitive information can be isolated from both call recording systems and also contact centre staff. Without DTMF, spoken card details can end up permanently stored in call recording systems, and can be stolen by contact centre staff.

What are the benefits for your customers?

By entering their personal data using their phone, your customers are more protected from data theft too. Those around them, whether it be in a busy office or on a crowded train, cannot hear (and hence steal) their card payment details. As a result, your customer feels more secure – a feeling which reflects well on your organisation.

A 2009 UK survey of two groups of customers, one speaking their card details and one typing in their card details, found an increase in customer satisfaction scores in the group using DTMF.

Customers will appreciate the ‘anonymity’ of their personal data.

What changes are needed to your internal payment processes?

When you use CallGuard, there are no changes required to your internal payment processes. (Or your CRM system, or the applications your staff use.)

What changes are needed to staff training?

One very minor change is needed. Instead of asking a customer to speak their card details, your staff member will need to ask for them to be typed in using the customer’s telephone keypad.

What should staff members say to your customers?

Here are some suggestions:

• Using your telephone keypad, could you please now enter the long number from the front of your card?
• To allow us to process your card details securely, please type in the long number from the front of your card, using your telephone keypad. (And then) Thanks, now please type the 3-digit security code from the back of the card.

Which details can you take by DTMF?

This technology can be used not just for card details, but also customer PINs, passwords, social security number, date of birth, and any other data which can be taken in numeric format.

Do you want to start using DTMF for your business? For more information, please click here to find out more about CallGuard, or contact Veritape online or by calling +44 (0) 845 899 5500.

Organisations taking payments by telephone and recording their calls, and who are looking to make their call recordings PCI DSS compliant, should look no further than CallGuard, from Veritape.

CallGuard delivers PCI DSS compliance to any call recording system by eliminating sensitive card data from telephone conversations before they are recorded. It can also prevent agents from seeing any card data on screen and hence eliminate the potential for card data theft.

How does it work? Customers, when making payments by phone, enter their card details using their telephone keypad. CallGuard automatically detects and blocks DTMF tones (containing the payment card data) from a call recorder. At the same time, CallGuard automatically enters the customer’s card details into the relevant fields on the Agent’s screen. It obscures the card details, so the Agent handling the call never sees the customer’s personal data. The end result is that you can fully observe PCI DSS call recording requirements and continue to record your calls.

However, Veritape’s technology extends wider than call recordings. Having been incorporated within the ExoIS PeepSafe™ solution, Veritape’s technology can also be used to help remove cardholder data from voice, mail and fax channels. It can also remove cardholder data from entire applications and network segments. This technology partnership gives organisations the ability to completely descope their corporate environment from PCI DSS.

ExoIS is a leading provider of information security, compliance services and products and a PCI Qualified Security Assessor Company (QSAC). It is the powerhouse behind PeepSafe™ 2.0, a cost effective, fully managed secure portal environment that incorporates encrypted email, fax, voice messages, online storage and the safe processing of cardholder data.

PeepSafe™ can completely de-scope voice-only environments from PCI DSS, removing the risk of “at home agents.” It can also de-scope entire call centres, ensuring that corporate call recording systems are fully PCI DSS compliant, greatly reducing the risk of agent fraud. Incorporating a tokenization engine and integrating with any internal application, database and payment gateway, PeepSafe™ can be quickly implemented with minimal effect on existing business processes.

Together, CallGuard and PeepSafe™ deliver more choice to organisations looking to de-scope part or all of their operation from PCI DSS.

“Our technology partnership allows us to deliver a choice of unique services to a wide range of customers,” says Cameron Ross, Veritape’s Managing Director. “CallGuard works well for organisations wanting to ensure that their call recordings are PCI DSS compliant. PeepSafe’s™ powerful, fully-integrated reach means that organisations can de-scope themselves entirely from the demands of PCI DSS.  And both PeepSafe and CallGuard put the interests of the customer first, by ensuring that card holder data is robustly secure.”

- Ends -

Notes for Editors:

About Veritape:

• CallGuard makes recorded calls fully PCI compliant. Quick to implement, it works with any call recording system.
• Veritape specialises in developing innovative, powerful, PCI DSS compliant call recording software solutions; we deliver cost-effective, flexible alternatives to traditionally expensive fixed hardware call recording solutions.
• Veritape is the only call recording company accredited as a PCI DSS Participating Organisation. Well regarded within the call recording industry, we regularly give direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council.
• Our clients include Jaguar, CPM, Exodus Travel, Intasure, PhotoBox and Mobile Mini.
• For more information about Veritape visit us at www.veritape.com. For more information about Callguard, go to www.callguard.co. For interviews and case studies contact Cathy Gibbon, Marketing Manager on 0845 899 5500 x791.

About ExoIS:

• Founded just before the new millennium in the heart of Silicon Valley, ExoIS provides Information Security and Compliance services and products, helping clients identify and mitigate the risks inherent in today’s increasingly interconnected business environments.
• As a PCI Qualified Security Assessor, today its services include a wide range of PCI services and other security and compliance offerings, covering the full spectrum of clients’ information security requirements.
• ExoIS also offers a range of managed services including secure cloud hosting, datacenter outsourcing, compliance SaaS solutions and storage services. Visit www.exois.com to find out more.

As of 01 October 2012, the TIP will be active in the USA (PDF). To qualify, merchants in the USA need to meet these requirements:

1. The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.
2. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.
3. At least 75 percent* of the merchant’s total transaction count must originate from dual-interface (contact/contactless) enabled chip-reading device terminals.
4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.

(* Visa Europe stipulates that this figure should be 95% for EU merchants.)

Over time, as EMV enters the US market, and device terminals are changed for those which support EMV, brick-and-mortar retailers could easily find that they’re achieving 75% of payments in dual-interface terminals.

But what about the remaining proportion, some of which may be processed through contact centres? It’s here that meeting the second Visa TIP requirement becomes a challenge. Let’s have a look at it again:

The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.

Historically, this has proven a challenge for organisations of all sizes, in the contact centre environment. Under the PCI DSS requirements, CV2 data must not be stored at all, post-authorisation, in any format. This includes in telephone call recordings. So to ensure that the Visa TIP remains accessible to you, you need to remove CV2 information from your call recording environment, as a minimum.

Luckily, there are 5 ways in which you can do that. Some are easier than others, and some will not be relevant to your situation. We’ve put together a handy guide to help you decide which approach is best for you. You can read it here: http://www.callguard.co/2011/08/five-ways-to-make-call-recordings-pci-dss-compliant/.

One more thing

If you process only Visa transactions, you can stop reading now. Move along, nothing further to see.

Still here? Yes… because as Branden Williams points out, no merchant processes only Visa transactions, right? It therefore seems unlikely that there would be any organisation which could actually use the TIP to reduce its assessment burden right now. However, we concur with Branden, and we hope (even expect?) that the other card brands will follow suit, and allow many merchants to reduce their compliance costs and burden in the near future.

One of Veritape’s core values is to deliver straightforward technology which is easy to both understand and use. In our opinion, the confusion around PCI DSS is not necessary and we think that it diverts attention away from its primary objective of protecting customers and payment card data. In an effort to set the record straight, here are clarifications to five common urban legends about PCI DSS and call recording.

1. We can encrypt the call recordings

It is a fact that if the PAN (that’s the long number of the front of the card) is stored in call recordings, it must be encrypted. However, once a payment has been authorised, the three- or four-digit CV2 security number on the card must not be stored at all.

Encryption is not an adequate tool to prevent the CV2 from being stored because, by design, every call recording system which uses encryption also uses decryption to give supervisors, trainers and other staff members the ability to listen to calls. Yes, encryption is used in some of your other payment processes, like the secure payment connection used in web browsers.

But it’s the fact that both encryption and decryption abilities sit side by side in the same environment (i.e. your call centre) which makes encryption for sensitive authentication data inappropriate. Point 3.2 of the PCI DSS Requirements and Security Assessment Procedures make this very plain: “Do not store sensitive authentication data after authorization (even if encrypted)”.

2. I don’t have to comply yet; I’m a small business so I don’t have to comply

All deadlines for compliance have passed. All organisations, irrespective of their size, are now required to be PCI DSS compliant.

3. PCI DSS isn’t an issue for us as you can’t mine data from audio recordings

The reality is that card data is easily mined from audio recordings, using any number of free or paid-for tools. As technology becomes more sophisticated, it is becoming easier to do so - there are plenty of speech recognition software tools available which will index and locate card data from within audio recordings.

4. Using an IVR system will make me PCI DSS compliant

Not necessarily. While there are PCI DSS compliant IVR systems on the market, many of them do not comply. Using an external IVR to handle card payments may just move the problem around. Sometimes calls handled in this way are recorded too! Furthermore, sometimes the IVR does not prevent card data from being sent back to your site which means that your on-site recording systems still capture the card data.

You may still need to employ a method of making call recordings associated with payments PCI DSS compliant. (On a practical note, you also need to consider the impact on customer service satisfaction levels caused by IVRs – many customers do not like them.)

5. Audio data breaches in contact centres don’t happen so the risk of a fine is minimal

The simple fact is that if you were to suffer a data breach as a result of information stored in call recordings, you would leave your business open to fines from your card acquirer.

It’s true that contact centre data breaches involving audio are not in the public eye, but they certainly do happen. The UK’s largest two acquiring banks have separately reported to Veritape that their customers have suffered audio data breaches and been fined for doing so. In addition, in some US states, where data breach notification is being introduced, data breaches are becoming more widely reported – read about Netflix’s recent headache at www.callguard.co/blog. Strict confidentiality agreements between card issuers, acquirers and merchants, coupled with a lack of mandatory data breach requirements, largely account for why audio data breaches aren’t in the public eye – but they do occur.

So there you go: clarification on five urban legends about PCI DSS and call recording.  If you have found this information about PCI DSS and call recording useful, visit our website at www.callguard.co. CallGuard, by Veritape, will make your existing call recording system PCI DSS compliant, ensure that payment card data remains secure and minimise the risk of card data theft.

Veritape is the only call recording company accredited as a PCI DSS Participating Organisation, giving regular direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council. We understand how PCI DSS affects your business.

The PCI DSS call recording guidelines are maturing. In parallel, conflicting and sometimes inaccurate interpretations of the directive are becoming more prevalent.

The end customer, for whom the guidelines have been introduced, appears to being lost in the mix. And for a business seeking to sort out their PCI DSS compliance needs, it is becoming a needlessly confusing place to be.

One of Veritape’s core values is to deliver straightforward technology which is easy to understand and use. We have been clocking the growing confusion around PCI DSS with concern as, in our opinion, it is unnecessary.  So with the objective of informing instead of confusing, we have laid out some key facts, explained in plain English, about PCI DSS and what it means for business taking payments by phone and recording calls. Here they are:

1.  The PCI DSS guidelines do apply to your business if it takes card payments by phone and records its calls

2.  These guidelines have been put in place to protect your customers’ card data and to reduce the risk of credit card fraud. It is a customer centric measure and of course, happy customers stick around, so ultimately, PCI DSS can be good for your business

3.  The PCI DSS guidelines specify that after a payment has been authorised, the sensitive authentication data (i.e. the three- or four- digit CV2 security number on the card) are not stored in any format. That means not in stored data files, not in recorded calls, not in a spreadsheet, not in an email and not scribbled down on paper whilst taking a call.

4.  If you store the PAN (that’s the long number on the front of the card) then you need to ensure it’s encrypted. However, encrypting the CV2 is not acceptable – you simply can’t store it at all.

5.  The PCI DSS guidelines don’t say that agents cannot be involved in taking a card payment over the phone. They do recommend that you should consider ways of preventing an agent who takes card payments by phone from being able to see sensitive card data on their screen.

6.  There is no approved method for making your business’ call recordings PCI DSS compliant. There are several ways to meet the guidelines but you will need to choose what works best for your business. Compare these methods of making call recordings PCI DSS compliant at www.callguard.co/compare.

So there you go: six uncomplicated key facts about PCI DSS and call recording.

CallGuard, by Veritape, will make any call recording system PCI DSS compliant, meaning that you can retain your existing call recording infrastructure. Veritape is the only call recording company credited as a PCI DSS Participating Organisation and we give regular direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council. We understand how PCI DSS impacts on your business. Visit www.callguard.co for more information.

Nuclear power plant filter: stops jellyfish - www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-13971005

Chelsea filter: stops particular wavelengths of light, to assist the identification of coloured stones - http://en.wikipedia.org/wiki/Chelsea_filter

Wimbledon Net Mix: quietens the “grunt” - http://www.bbc.co.uk/5live/wimbledon/netmix

CallGuard Filter: stops your credit card data being stored in call recordings - http://www.callguard.co/callguard