The question about secure payments is always a tough one. Most businesses have the ability to take payments using their website, this is generally accepted as a secure method, as long as the website is secured properly.
But what about telephone payments?
This opens up a whole new realm of insecure payments. The range of areas, people and equipment that comes into scope for PCI is massive.
When a telephone call is made into your business for a customer to take a payment, that call is routed over your telecommunications provider, over the secure telephone network, then terminated at your business by your service provider, routed into your PBX, voice recorder, voice network, and finally into your contact centre.
Each leg of the call once it reaches your business is your responsibility to secure.
Some businesses are using Pause/Resume technology to simply stop their Call Recorder from recording the customers card data. This is done in a multitude of ways, including “auto-pause dependent on agent form filling” where the pause and resume would be dependent on the agent clicking into a pre-defined box, OR a manual Pause/resume, giving the agent the control over their call recording.
Neither of these methods are acceptable to the PCI security standards organisation (https://www.pcisecuritystandards.org).
This brings us to the alternative: DTMF Call Masking.
What is DTMF Call Masking?
DTMF Call Masking, as it has become to be known, is the process whereby when a customer calls into a business, when they are asked for their payment card information, this is instead, typed into the telephone keypad, which in turn sends this down the telephone line as DTMF (Duel-tone-Multi-frequency).
Equipment in-line either in the cloud or on the customer site then intercepts this DTMF and can perform some/or more of the following processes with it:
1) processes the payment on behalf of the merchant directly with their PSP and post the result back to the agent taking the payment
2) encrypts the DTMF and posts it to the agents payment form
3) blocks the DTMF from reaching the merchant call recorder by forwarding dummy or no tones.
There are various methods of DTMF and data manipulation to achieve the required goals, these are the most popular. This method maintains a good standard of PCI security, and helps secure your contact centre.
How are you currently taking payments? Do you use any cloud based payment services? How secure do you think your environment is?
Are you concerned about data breaches?
Please feel free to send me a message about this or any of my posts.
Thanks!