What is DTMF? Is it widespread?

DTMF stands for “Dual Tone, Multi-Frequency”. It’s a universal standard for sending digits (and some other characters) over the phone.  DTMF is built into every modern telephone - home, office or mobile.

Why take sensitive data from customers using DTMF?

Because it’s much more secure, and gives customers more confidence that their data is being protected.

Also, taking card details by DTMF can decrease your average call handling time (AHT), as agents do not ‘read back’ a customer’s card details to them (i.e. since they can’t see the card details, they can’t say “1234 (pause) 1234 (pause)” etc. after each series of digits the customer reads to them.

The possibility of errors occurring is also reduced as there is only one phase of data entry:

• without DTMF:  the customer reads out the data and the agent types it in (two chances for error)
• with DTMF: the customer types in the data (one chance for error).

Why are DTMF card details more secure than spoken card details?

Sending sensitive data such as credit card numbers as DTMF has a clear security advantage: DTMF can’t be easily understood by humans, but it is very easily detectable by phone systems or computers.

Therefore, sensitive information can be isolated from both call recording systems and also contact centre staff. Without DTMF, spoken card details can end up permanently stored in call recording systems, and can be stolen by contact centre staff.

What are the benefits for your customers?

By entering their personal data using their phone, your customers are more protected from data theft too. Those around them, whether it be in a busy office or on a crowded train, cannot hear (and hence steal) their card payment details. As a result, your customer feels more secure – a feeling which reflects well on your organisation.

A 2009 UK survey of two groups of customers, one speaking their card details and one typing in their card details, found an increase in customer satisfaction scores in the group using DTMF.

Veritape’s view is that your customers will appreciate the ‘anonymity’ of their personal data.

What changes are needed to your internal payment processes?

With CallGuard, Veritape’s product for DTMF data entry, there are no changes required to your internal payment processes. (Or your CRM system, or the applications your staff use.)

What changes are needed to staff training?

One very minor change is needed. Instead of asking a customer to speak their card details, your staff member will need to ask for them to be typed in using the customer’s telephone keypad.

What should staff members say to your customers?

Here are some suggestions:

• Using your telephone keypad, could you please now enter the long number from the front of your card?
• To allow us to process your card details securely, please type in the long number from the front of your card, using your telephone keypad. (And then) Thanks, now please type the 3-digit security code from the back of the card.

Which details can you take by DTMF?

This technology can be used not just for card details, but also customer PINs, passwords, social security number, date of birth, and any other data which can be taken in numeric format.

Do you want to start using DTMF for your business? For more information, please click here to find out more about CallGuard, or contact Veritape online or by calling +44 (0) 845 899 5500.

VigiTrust is known for their work helping companies become fully aware of the security issues in their organisation, and helping to resolve them. It is because of this close-knit integration with the PCI DSS community in particular that they are able to draw on such a great lineup of speakers, which included:

• Jeremy King, the European Director at the PCI SSC
• Doug Smith from Verizon Business, showcasing Verizon’s annual data breach report
• Matt Martin, speaking from Barclaycard’s perspective about PCI DSS challenges for merchants
• Eamonn Skyrme and Nick Heape from Visa Europe, who discussed the Visa Third Party Agents list, launching soon
• Gerard Curtin from PixAlert, who detailed the practical challenges companies face in locating cardholder data in their environment
• Peter Brudenall, a Partner at LG Legal, who talked about the Data Protection Act, the Information Commissioner’s Office, and the upcoming proposed changes to the Data Protection laws.

It was Veritape’s pleasure to be presenting in such company. Veritape’s Managing Director, Cameron Ross, discussed the 5 ways companies can become PCI DSS compliant for their call recording systems. As usual, there was lively discussion around such a topic.

If you would like a copy of Cameron’s presentation, please contact us and we’ll be happy to send it to you.

Many thanks to VigiTrust, whose CEO Mathieu Gorge and VP of Sales Breandán Murray hosted such an informative and engaging day.

Technology partners Veritape and ExoIS showcase CallGuard and PeepSafe™ at the PCI SSC North American Community Meeting in Scottsdale, Arizona.

Organisations taking payments by telephone and recording their calls, and who are looking to make their call recordings PCI DSS compliant, should look no further than CallGuard, from Veritape.

CallGuard delivers PCI DSS compliance to any call recording system by eliminating sensitive card data from telephone conversations before they are recorded. It can also prevent agents from seeing any card data on screen and hence eliminate the potential for card data theft.

How does it work? Customers, when making payments by phone, enter their card details using their telephone keypad. CallGuard automatically detects and blocks DTMF tones (containing the payment card data) from a call recorder. At the same time, CallGuard automatically enters the customer’s card details into the relevant fields on the Agent’s screen. It obscures the card details, so the Agent handling the call never sees the customer’s personal data. The end result is that you can fully observe PCI DSS call recording requirements and continue to record your calls.

However, Veritape’s technology extends wider than call recordings. Having been incorporated within the ExoIS PeepSafe™ solution, Veritape’s technology can also be used to help remove cardholder data from voice, mail and fax channels. It can also remove cardholder data from entire applications and network segments. This technology partnership gives organisations the ability to completely descope their corporate environment from PCI DSS.

ExoIS is a leading provider of information security, compliance services and products and a PCI Qualified Security Assessor Company (QSAC). It is the powerhouse behind PeepSafe™ 2.0, a cost effective, fully managed secure portal environment that incorporates encrypted email, fax, voice messages, online storage and the safe processing of cardholder data.

PeepSafe™ can completely de-scope voice-only environments from PCI DSS, removing the risk of “at home agents.” It can also de-scope entire call centres, ensuring that corporate call recording systems are fully PCI DSS compliant, greatly reducing the risk of agent fraud. Incorporating a tokenization engine and integrating with any internal application, database and payment gateway, PeepSafe™ can be quickly implemented with minimal effect on existing business processes.

Together, CallGuard and PeepSafe™ deliver more choice to organisations looking to de-scope part or all of their operation from PCI DSS.

“Our technology partnership allows us to deliver a choice of unique services to a wide range of customers,” says Cameron Ross, Veritape’s Managing Director. “CallGuard works well for organisations wanting to ensure that their call recordings are PCI DSS compliant. PeepSafe’s™ powerful, fully-integrated reach means that organisations can de-scope themselves entirely from the demands of PCI DSS.  And both PeepSafe and CallGuard put the interests of the customer first, by ensuring that card holder data is robustly secure.”

- Ends -

Notes for Editors:

About Veritape:

• CallGuard makes recorded calls fully PCI compliant. Quick to implement, it works with any call recording system.
• Veritape specialises in developing innovative, powerful, PCI DSS compliant call recording software solutions; we deliver cost-effective, flexible alternatives to traditionally expensive fixed hardware call recording solutions.
• Veritape is the only call recording company accredited as a PCI DSS Participating Organisation. Well regarded within the call recording industry, we regularly give direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council.
• Our clients include Jaguar, CPM, Exodus Travel, Intasure, PhotoBox and Mobile Mini.
• For more information about Veritape visit us at www.veritape.com. For more information about Callguard, go to www.callguard.co. For interviews and case studies contact Cathy Gibbon, Marketing Manager on 0845 899 5500 x791.

About ExoIS:

• Founded just before the new millennium in the heart of Silicon Valley, ExoIS provides Information Security and Compliance services and products, helping clients identify and mitigate the risks inherent in today’s increasingly interconnected business environments.
• As a PCI Qualified Security Assessor, today its services include a wide range of PCI services and other security and compliance offerings, covering the full spectrum of clients’ information security requirements.
• ExoIS also offers a range of managed services including secure cloud hosting, datacenter outsourcing, compliance SaaS solutions and storage services. Visit www.exois.com to find out more.

PCI DSS is becoming an accepted regulatory necessity. Differing interpretations of the guidelines can cause confusion to businesses seeking to become PCI DSS compliant.

There is no single approved method for making call recordings compliant. In fact, there are several PCI DSS compliant methods and, if you are looking for such a solution, you need to choose the option which best suits your business.

Here is an overview of which methods, when properly implemented, will make call recordings PCI DSS compliant:

These methods can work

1. Pause and resume.

The “pause and resume” method records the entire call apart from the sensitive authentication data. It is technically difficult to set up and tricky to maintain during future changes within your organisation.

2. Turn off your call recording.

Literally, switch off your call recorder. You will lose all the benefits associated with call recording such as training, customer service and compliance. This method cannot be used by businesses operating in some regulated financial sectors.

3. Transfer to an IVR.

Transfer calls to an automated payment card processing solutions such as an IVR. IVRs are not particular favourites with customers and they do require significant integration with back-end IT and telephony.

4. CallGuard.

CallGuard, by Veritape, automatically detects and blocks DTMF tones and therefore the payment card data from call recordings. Call recording continues as usual and no sensitive data is captured or stored in any format. It works with any call recording system.

5. Semafone.

Centrally masks the DTMF digits entered by a caller, so they are not recorded on the call recording system. Call recording continues as usual.

Visit www.callguard.co/compare to compare these methods in more detail.

And for completeness, these methods are non-PCI DSS compliant

1. Manual pause and resume. The PCI DSS guidelines state that card data should be removed from calls automatically, not manually.

2. Encryption only. The PCI DSS guidelines bar the storage of sensitive authentication data in any format, even if it has been encrypted.

3. Use speech recognition for removal after the recording has been made. It is tricky to detect and remove payment information (essentially numbers) without compromising other parts of the recording. If some payment information is missed, the recording is not PCI DSS compliant.

CallGuard, by Veritape, will make any call recording system PCI DSS compliant, meaning that you can retain your existing call recording infrastructure. Veritape is the only call recording company credited as a PCI DSS Participating Organisation and we give regular direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council. We understand how PCI DSS impacts on your business.

One of Veritape’s core values is to deliver straightforward technology which is easy to both understand and use. In our opinion, the confusion around PCI DSS is not necessary and we think that it diverts attention away from its primary objective of protecting customers and payment card data. In an effort to set the record straight, here are clarifications to five common urban legends about PCI DSS and call recording.

1. We can encrypt the call recordings

It is a fact that if the PAN (that’s the long number of the front of the card) is stored in call recordings, it must be encrypted. However, once a payment has been authorised, the three- or four-digit CV2 security number on the card must not be stored at all.

Encryption is not an adequate tool to prevent the CV2 from being stored because, by design, every call recording system which uses encryption also uses decryption to give supervisors, trainers and other staff members the ability to listen to calls. Yes, encryption is used in some of your other payment processes, like the secure payment connection used in web browsers.

But it’s the fact that both encryption and decryption abilities sit side by side in the same environment (i.e. your call centre) which makes encryption for sensitive authentication data inappropriate. Point 3.2 of the PCI DSS Requirements and Security Assessment Procedures make this very plain: “Do not store sensitive authentication data after authorization (even if encrypted)”.

2. I don’t have to comply yet; I’m a small business so I don’t have to comply

All deadlines for compliance have passed. All organisations, irrespective of their size, are now required to be PCI DSS compliant.

3. PCI DSS isn’t an issue for us as you can’t mine data from audio recordings

The reality is that card data is easily mined from audio recordings, using any number of free or paid-for tools. As technology becomes more sophisticated, it is becoming easier to do so - there are plenty of speech recognition software tools available which will index and locate card data from within audio recordings.

4. Using an IVR system will make me PCI DSS compliant

Not necessarily. While there are PCI DSS compliant IVR systems on the market, many of them do not comply. Using an external IVR to handle card payments may just move the problem around. Sometimes calls handled in this way are recorded too! Furthermore, sometimes the IVR does not prevent card data from being sent back to your site which means that your on-site recording systems still capture the card data.

You may still need to employ a method of making call recordings associated with payments PCI DSS compliant. (On a practical note, you also need to consider the impact on customer service satisfaction levels caused by IVRs – many customers do not like them.)

5. Audio data breaches in contact centres don’t happen so the risk of a fine is minimal

The simple fact is that if you were to suffer a data breach as a result of information stored in call recordings, you would leave your business open to fines from your card acquirer.

It’s true that contact centre data breaches involving audio are not in the public eye, but they certainly do happen. The UK’s largest two acquiring banks have separately reported to Veritape that their customers have suffered audio data breaches and been fined for doing so. In addition, in some US states, where data breach notification is being introduced, data breaches are becoming more widely reported – read about Netflix’s recent headache at www.callguard.co/blog. Strict confidentiality agreements between card issuers, acquirers and merchants, coupled with a lack of mandatory data breach requirements, largely account for why audio data breaches aren’t in the public eye – but they do occur.

So there you go: clarification on five urban legends about PCI DSS and call recording.  If you have found this information about PCI DSS and call recording useful, visit our website at www.callguard.co. CallGuard, by Veritape, will make your existing call recording system PCI DSS compliant, ensure that payment card data remains secure and minimise the risk of card data theft.

Veritape is the only call recording company accredited as a PCI DSS Participating Organisation, giving regular direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council. We understand how PCI DSS affects your business.

Veritape produces call recording technology that is both easy to understand and refreshingly simple to use. Our desire to produce digestible technology has been a key influence in the development of callguard.co.

CallGuard.co is a one-stop-shop for accurate key information essential for any business or organisation seeking to ensure that their call recordings are PCI DSS compliant. Delivering a clear and business focused overview of PCI DSS, callguard.co provides clarification on the impact of PCI DSS on organisations taking payments by phone and recording their calls. The website also provides invaluable product information which neutrally explains what mitigating options for PCI DSS are commercially available.

CallGuard, by Veritape delivers PCI DSS compliance to call recordings by eliminating sensitive card data from telephone conversations before they are recorded. It can also prevent agents from seeing any card data on screen, therefore reducing the risk of contact centre fraud.  See how CallGuard works and how it can be used through an array of simple overviews, informative guides, attractive videos and well-written case studies. With a clean design and straightforward navigation, callguard.co makes the chewy topic of PCI DSS and call recording easier to digest.  Visit callguard.co to find out more.

- ends -

Notes for Editors:

About Veritape

• Veritape specialises in developing innovative, powerful, PCI DSS compliant call recording software solutions.
• We deliver cost-effective, flexible alternatives to traditionally expensive fixed hardware call recording solutions.
• Veritape’s CallGuard technology makes recorded calls fully PCI compliant. Quick to implement, it works with any call recording system.
• We are the only call recording company accredited as a PCI DSS Participating Organisation. Well regarded within the call recording industry, we regularly give direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council.
• Our clients include Jaguar, CPM, Exodus Travel, Intasure, PhotoBox and Mobile Mini.
• For more information about CallGuard visit www.callguard.co. For more information about Veritape visit us at www.veritape.com. For interviews and case studies contact Cathy Gibbon, Marketing Manager on 0845 899 5500.

CallGuard, introduced to the market in 2010, has proven to be a significant development in the area of PCI DSS compliance for recorded telephone calls. It works with any call recording system and makes recorded calls fully PCI DSS compliant by removing sensitive cardholder data. Historically, contact centre operators have found this difficult to do.

Stephen Cavey, Director of Corporate Development at Ground Labs, says “When choosing to work closely with a partner we must ensure they are market leaders in their respective product category. Veritape’s CallGuard solution is a clear leader in contact centre solutions by providing the ability to eliminate cardholder data from contact centre agents’ screens and call recordings, eliminating the possibility of fraud. Working with Veritape to combine our respective capabilities offers call centres a rapid path to achieve ongoing PCI compliance.”

Ground Labs is renowned for Card Recon and Enterprise Recon, its cardholder data discovery software solutions for PCI DSS compliance. UK-based Veritape is a leader in the field of contact centre PCI DSS compliance for call recordings, through its CallGuard products. The partnership will ensure that customers of both organisations will be able to further descope their call centre operations from PCI compliance and remove card data from their environment.

Ground Labs’ Card Recon and Enterprise Recon solutions are powerful tools that will accurately detect cardholder data stored within contact centre environments. Contact centres typically accept payment via telephone, email and by fax. Ensuring that cardholder data is identified properly, and then stored securely, is a constant challenge in this environment.

Cameron Ross, Managing Director of Veritape, explains “We first met with Ground Labs at the PCI London conference in January this year and were immediately impressed. Since then, we have worked closely together, on a number of initiatives and opportunities, to introduce their technology to our customer base. Many of our customers have asked for a simple, effective method of finding all card data in their environment. Ground Labs are the market leaders in this area. The Card Recon and Enterprise Recon solutions help our customers make sure that they are correctly handling sensitive data under the PCI DSS requirements. “

The partnership between Ground Labs and Veritape includes the introduction of both companies’ technologies to each other’s customer base and also encompasses development work on additional products.

Stephen Cavey says “Veritape’s technical development on our shared product pipeline is impressive, and we are excited at the prospect of working together to deliver secure cardholder data solutions to the contact centre industry.”

- ends –

Notes for Editors:

About Veritape

• Veritape’s CallGuard technology makes recorded calls fully PCI compliant. Quick to implement, it works with any call recording system.

• Veritape specialises in developing innovative, powerful, PCI DSS compliant call recording software solutions; we deliver cost-effective, flexible alternatives to traditionally expensive fixed hardware call recording solutions.

• We are the only call recording company accredited as a PCI DSS Participating Organisation. Well regarded within the call recording industry, we regularly give direct feedback on our customers’ PCI compliance challenges and insights to the PCI Council.

• Our clients include Jaguar, CPM, Exodus Travel, Intasure, PhotoBox and Mobile Mini.

• For more information about CallGuard visit www.callguard.co. For more information about Veritape visit us at www.veritape.com. For interviews and case studies contact Cathy Gibbon, Marketing Manager on 0845 899 5500.

About Ground Labs

Ground Labs is a global leader in the development of security and auditing software solutions for the payment card industry. Its flagship products, Card Recon and Enterprise Recon, identify data storage risks on thousands of computer systems worldwide, helping companies prevent security breaches that result in the theft of customers’ credit and debit card numbers. For more information and product demos, visit www.groundlabs.com.

Nuclear power plant filter: stops jellyfish - www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-13971005

Chelsea filter: stops particular wavelengths of light, to assist the identification of coloured stones - http://en.wikipedia.org/wiki/Chelsea_filter

Wimbledon Net Mix: quietens the “grunt” - http://www.bbc.co.uk/5live/wimbledon/netmix

CallGuard Filter: stops your credit card data being stored in call recordings - http://www.callguard.co/callguard