DTMF Touch-Tone Payment: The New Standard for Payment by Phone

Who came up with the idea of asking people to read payment card numbers out over the phone to a call center agent, when in-store or online we enter them more securely and discreetly ourselves?

With such regular media reports of data breaches, only 5% of consumers around the world think this is a secure way to pay, according to Syntec’s 2018 tracking research, with the majority saying they are increasingly worried about call center fraud and that managers should be doing more to combat it.

Security and compliance requirements for merchants reflect these concerns. Nearly all states in the USA require individuals to be notified of any data breach affecting their personal data and Australia has just introduced the Notifiable Data Breaches scheme, similar to the new GDPR legislation in the EU which affects organizations from any country who have dealings with EU customers. This puts a spotlight on how personal data is handled, in turn pushing greater awareness of the PCI DSS regulations which cover cardholder data.

59% of the consumers we surveyed say the risk of fraud actually makes them avoid paying by phone, so there needs to be a better way of handling this.  Consumer preference is to hide the card data from call center agents altogether and to avoid storing card data on merchants’ databases, rather than partial solutions such as Pause and Resume (Stop/Start for call recordings) or Clean Rooms for agents – compensating controls which consumers think are less secure and which leave important areas of the contact center environment still in scope of PCI DSS controls.

The latest annual Kaspersky Lab Corporate IT Security Risks worldwide survey puts  the cost of data breaches across 29 countries at $1.23 million on average for enterprises (up 24 percent from 2017), so it also makes huge commercial sense for organisations to find a way to avoid storing card data of value to hackers or insider fraud.

Historically, PCI DSS has been seen as something of an unwanted cost and it’s only in the last few years that organizations have put data security higher up the agenda and more recently still, have seen the benefit of establishing a ‘no card data environment’ to take these risks off the table.

The advent of DTMF touchtone payment technology enables consumers to enter their own card numbers in this MOTO payment environment too, which they prefer, either live in mid-conversation with the agent or using customer self-service IVR.  Because the touch tones are masked, card numbers are also no longer audible or visible to agents and call recordings or available to be captured or stored.  This negates the need to segment that data and means that the merchant can de-scope their contact centers, outsourcers & homeworkers from the cost and hassle of PCI DSS controls and de-risk for GDPR purposes too, by not having the card data at all.

Syntec’s CardEasy ‘keypad payment by phone’  DTMF masking solution won the Genesys ‘Best Security System’ Award at the Call & Contact Centre Expo in London UK in March 2018.  Seamless integration with the Genesys agent workspace GUI, as well as pre-integration with all the major payment services providers, allows the agent to capture securely the customer’s card number with a single click.

CardEasy is agnostic to the merchant’s telephony and back-office systems and is flexible to deploy globally as a fully managed service, either network-hosted, on-premise or in the cloud. CardEasy works with tokenizers for repeat payments and is already used around the world by major brands such as Staples, Locus Telecommunications LLC and Allied Irish Bank and insurance, travel, healthcare and utility companies as well as BPOs. Consumer acceptance is high, as the system easy to use and inherently more trustworthy, and agents like it as it reduces average call handling time and miskeying.

The majority of contact center payments still rely on the ‘old’ method of asking customers to read out their card numbers, so there’s a way to go before DTMF masking becomes as widespread as Chip ‘n Pin (EMV) in retail, or dual factor authorization for online payments.  But now these other payment environments have this better security, fraud is on the increase in contact centers as they represent a soft target for hackers.  So heightened consumer concerns and increased pressure from regulators and data protection legislation is bound to combine to make this new DTMF masking technology the gold standard for contact centers over the next few years as the card data is no longer there to protect.

Guest blog written by CardEasy.