New Guidance Rings the Changes for Secure Telephone Payments

Ben Le Feuvre of Sabio discusses how new guidance from the Payment Card Industry Security Standards Council has helped make telephone payments less problematic in the contact centre.

The “voice of the customer” takes on a very literal meaning when you’re dealing with contact centre security. People paying over the phone can cause challenges for the teams tasked with protecting their card details; a simple string of digits read out loud can be hugely problematic on a number of fronts. How to protect the agent who hears it, the customer who speaks it and, most tricky of all, the system that records it?

The regulations around securing telephone payments have just become a whole lot clearer. In November last year, the Payment Card Industry Security Standards Council (PCI SSC) released new guidance defining how the Payment Card Industry Data Security Standard (PCI DSS) must be applied for payments over the phone.

This was the first review of the rules for telephone payments since 2011 and was the work of a Special Interest Group consisting of experts from across the industry. It contains some very specific directions for Qualified Security Assessors (QSAs) – particularly in the area of call recording, where it’s imperative to avoid capturing sensitive card data.

One workaround that looks as though it will be on the way out is the “pause-and-resume” system, where a recording is briefly stopped while customers read out their payment numbers. The new guidance states that these pause-and resume-systems – whether the process is automated or manual – run the risk of capturing sensitive card details.

This means that the QSAs are required to ensure that additional controls, such as securely deleting card holder data and adding multi-factor authentication controls, have been put in place effectively. This may require invasive auditing, which is highly disruptive as well as expensive.

The only solutions that the guidance puts forward to the “voice” problem are those based on scope reduction – reducing or eliminating card data from the contact centre altogether. Among these are payment methods based on dual-tone multi-frequency (DTMF) masking solutions, whereby callers can enter their card numbers themselves via their telephone keypad. The tones emitted by the keys are masked with flat “bleeps”, so numbers cannot be identified by their sound either by the agent or on call recordings.

This means that customers can continue the conversation with the agent throughout the payment process and sort out any problems, and help with any additional queries while supporting those all important customer service objectives and standards. Any first-time resolution targets are protected and supported. Meanwhile, the card details are sent straight to the acquiring bank so they don’t remain in the contact centre and fall into the scope of the PCI DSS.

But it’s also important to note that not all DTMF solutions are equal. This fact is highlighted by the PCI Security Standards Council:

“Some implementations of DTMF masking rely on DTMF detection; this may introduce a delay in the masking, and the initial portion of the DTMF tones may not be masked (this is called “DTMF bleed”). It is important to ensure that all DTMF tones, including any initial small portions of “DMTF bleed” that may be inadvertently allowed through a masking process, are not present in the environment.”

Essentially this means that some DTMF digits or part thereof can be exposed, which can mean card data is brought back into the IT infrastructure of your organisation, resulting in it being brought back into scope for PCI DSS.

Ben Le Feuvre

The new guidance is based on common sense. Protecting customer security should be a top priority for everyone – we’re all aware of the potential damage from a breach, both financial and reputational.

And, when it comes to service, customers who phone in are engaging directly with your brand in a very personal way. It’s an opportunity to show them that you care about their security, and that when it comes to payment, you won’t just transfer them to a machine – you’ll listen to their voice.

About Sabio

Sabio Group is a global digital customer experience (CX) transformation specialist with major operations in the UK (England and Scotland), Spain, France, Netherlands, Malaysia, Singapore, South Africa and India. Through its own technology, and that of world-class technology leaders such as Amazon Connect, Avaya, Genesys, Google Cloud, Salesforce, Twilio and Verint, Sabio helps organisations optimise their customer journeys by making better decisions across their multiple contact channels.

Read other posts by Sabio

Call Centre Helper is not responsible for the content of these guest blog posts. The opinions expressed in this article are those of the author, and do not necessarily reflect those of Call Centre Helper.