Blog 03 August 2022

Securing your contact centre for PCI DSS compliance

by Nicky Hjerpe


If your agents take customer payments over the phone, the data your organisation collect will include payment card details. As a result, your contact centre must comply with the Payment Card Industry Data Security Standard (PCI DSS).

Accepting payments through multiple channels is integral for many organisations. But it compounds the already complex task of protecting cardholder data securely.

Speaking with a live agent continues to be the payment platform of choice for customers, handing over both cardholder data and personal data to complete a transaction. As contact centres evolve to serve their customers, the attack surface expands with the potential for data breaches.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is all about receiving and storing payment card data – safe handling, without fraud risk. Its detailed guidance gets complicated when customers provide payment information to contact centre agents verbally – the agent can see, hear and transmit card data. The actions of an individual agent can place systems, processes and people into the scope of PCI DSS.

Any non-compliance to the guidance can result in crippling fines and reputational damage for any organisation found to breach PCI DSS.

Solutions to protect your contact centre

The best way to protect your customers, your people, processes and systems from PCI DSS exposure, is to stop it from entering your organisation. Tech is available to effectively shield your contact centre and block sensitive data from coming in – without changing existing payment processes. They reduce the risk, effort and cost of achieving PCI compliance.

These solutions use Dual Tone Multi Frequency (DTMF) muting or masking to offer the highest level of security for protecting cardholder data. If your supplier is a PCI DSS Level One accredited service provider, these solutions make the contact centre environment safe from storing customer payment data, and drastically reduce the huge effort of completing a PCI audit.

What is DTMF Masking?

DTMF are the tones made by your phone when you use the phone’s keypad. With DTMF masking payment solutions, customers enter their credit card information into their telephone handset instead of reading it aloud to the agent. Secure speech recognition options are also available for customers who are unable to use touch-tone keypads.

The solution, usually handled by a PCI DSS Level One accredited service provider, gathers data upstream of the phone environment. The agent cannot hear the digits as they are typed or see the payment card information details on their screen, the DTMF tones are replaced by flat frequency tones, or silence.

The sensitive part of the card information is the middle six digits of the long card number and the last three digits on the back of card. This information is masked by asterisks on the agent screen and sent to the merchant’s processors via a secure environment to complete the transaction.

Screenshot of Liberty Converse showing PCI DSS compliance using DTMF masking

DTMF tech removes contact centre agent workstations and VoIP infrastructure from PCI DSS scope by addressing both parts of the PCI compliance equation. Existing call recording functions can continue running in the background for quality purposes – there’s no need to pause recordings. Agents can stay on the phone with customer while they enter their card information.

This technology can also be applied to automated payments over the phone through an IVR, or through webchat payments.

Outsourced to a contact centre solution provider

Organisations rarely have the inside skills and knowledge to develop their own tech to manage payment security. They typically outsource cardholder data processing to a PCI DSS compliant service provider. When outsourcing call centre functions, it is vital to evaluate the ongoing operational costs and impact on customer experience.

Your solution provider should be PCI DSS accredited by the Standards Council and be able to provide a Report on Compliance (RoC) to show how they stay compliant. Contact centres that deal with payment card data should also have a detailed PCI DSS compliance process policy guide.

How Netcall can help with PCI DSS compliance

We take our customers need for payment security seriously and have made it easy for them to remove their contact centre from the scope of PCI DSS.

We’ve incorporated a leading PCI certified secure payment solution into our contact centre solution, Liberty Converse. Any organisation that takes payments over the phone, can take payments from customers quickly and securely, without an impact on customer experience. It uses DTMF masking technology and removes your contact centre from the scope of PCI DSS.

The agent simply clicks on a button to begin a customer payment and guides the customer through the three simple steps to complete the payment. The agent cannot see, hear or access the payment data, but can quickly reset fields at any time if the customer makes a mistake.

The customer experience is quick and secure. The agent is not exposed to sensitive details they do not need to see. It’s a win-win.

Talk to us today about how you can:

  • Automate payment collection using a self-service IVR
  • Support payments over the customer’s channel of choice: webchat, SMS, email and social messaging
  • Ensure that agents and call/screen recordings have no access to sensitive card data to minimise security risk and help with compliance
  • Ensure that your payment collection process meets PCI DSS Level 1 compliance

Want to further reduce handling time?

The payment process can be speeded up further when integrated using our low-code solution, Liberty Create. When connected with your agent, the customer’s phone number is recognised and their details are pre-populated into the payment form. The customer simply types in their card details. The whole process takes seconds – significantly reducing average handling time.

Watch our demo

See DTMF masking in action and protect your contact centre from payment card data

Talk to us

Let us show you how to become PCI DSS compliant in your contact centre

Latest Blog Posts