New guidance rings the changes for securing telephone payments
The “voice of the customer” takes on a very literal meaning when you’re dealing with contact centre security.
People paying over the phone can cause challenges for the teams tasked with protecting their card details; a simple string of digits read out loud can be hugely problematic on a number of fronts. How to protect the agent who hears it, the customer who speaks it, and most tricky of all, the system that records it?
The regulations around securing telephone payments have just become a whole lot clearer. In November last year, the Payment Card Industry Security Standards Council (PCI SSC) released new guidance defining how the Payment Card Industry Data Security Standard (PCI DSS) must be applied for payments over the phone.
This was the first review of the rules for telephone payments since 2011 and was the work of a Special Interest Group consisting of experts from across the industry. It contains some very specific directions for Qualified Security Assessors (QSAs) – particularly in the area of call recording, where it’s imperative to avoid capturing sensitive card data.
One workaround that looks as though it will be on the way out is the “pause-and-resume” system, where a recording is briefly stopped while customers read out their payment numbers. The new guidance states that these pause-and resume-systems – whether the process is automated or manual – run the risk of capturing sensitive card details. This means that the QSAs are required to ensure that additional controls, such as securely deleting card holder data and adding multi-factor authentication controls, have been put in place effectively. This may require invasive auditing, which is highly disruptive as well as expensive.
The only solutions that the guidance puts forward to the “voice” problem are those based on scope reduction – reducing or eliminating card data from the contact centre altogether. Among these are payment methods based on dual-tone multi-frequency (DTMF) masking solutions, such as Semafone’s Cardprotect, whereby callers can enter their card numbers themselves via their telephone keypad. The tones emitted by the keys are masked with flat “bleeps”, so numbers cannot be identified by their sound either by the agent or on call recordings. This means that customers can continue the conversation with the agent throughout the payment process and sort out any problems, and help with any additional queries while supporting those all important customer service objectives and standards. Any first-time resolution targets are protected and supported. Meanwhile, the card details are sent straight to the acquiring bank so they don’t remain in the contact centre and fall into the scope of the PCI DSS.
But, it’s also important to note that not all DMFT solutions are not all equal. This fact is highlighted in the PCI SCC’s Information Supplement, Protecting Telephone-Based Payment Card Data.
‘Some implementations of DTMF masking rely on DTMF detection; this may introduce a delay in the masking, and the initial portion of the DTMF tones may not be masked (this is called “DTMF bleed”). It is important to ensure that all DTMF tones, including any initial small portions of “DMTF bleed” that may be inadvertently allowed through a masking process, are not present in the environment.’
Essentially this means that some DTMF digits or part thereof can be exposed, which can mean card data is brought back into the IT infrastructure of your organisation, resulting in it being brought back into scope for PCI DSS. This will be picked up by any QSA assessment – remember the “invasive” auditing mentioned earlier? Semafone’s Cardprotect solution has bleed removal features to ensure DTMF digits can’t be recovered, keeping your contact centre out of scope for PCI DSS.
The new guidance is based on common sense. Protecting customer security should be a top priority for everyone – we’re all aware of the potential damage from a breach, both financial and reputational. And when it comes to service, customers who phone in are engaging directly with your brand in a very personal way. It’s an opportunity to show them that you care about their security, and that when it comes to payment, you won’t just transfer them to a machine – you’ll listen to their voice.