Many customers prefer talking to real agents rather than navigating through websites to get what they want. However, when it comes to taking payments, secure processes are needed to protect sensitive credit card data. That is why DTMF signals, or dual-tone multi-frequency signals, play a distinct sound from your phone which telephone equipments can pick up and translate into useful information. This is how phone companies know what number is pressed when a customer uses their keypad.
If you are giving sensitive information to make a payment – for example, your PIN, National ID, or your CVV – DTMF signals risk your customer’s privacy. In this guide, we cover precisely what DTMF signals are and why DTMF masking is an integral part of PCI DSS compliance.
What are DTMF Signals?
DTMF (dual-tone multi-frequency) signals are telecommunications signals sent over the same frequencies as the human voice. They are sometimes called ‘touch tones’.
DTMF signals were first created in 1963 by the Bell System. Designed to be more user-friendly and quicker than the rotary dial system, DTMF-producing telephones were immediately popular among users. DTMF signalling phones quickly replaced their competing telephony solutions, and nowadays almost every phone can produce multifrequency signals if needed.
DTMFs have a lot of benefits. For example, one can use DTMF signals to help redirect callers to the right department. If you call a company and you are first given a series of numerical options that each are linked with different departments, chances are that each button is connected to a different tone. When that tone is broadcasted, the telephone equipment knows where to direct your call.
How Secure are DTMF Signals?
DTMF signals use in-band signalling protocols. This means that the signals are sent over the same communications channel as the primary data on that channel. In layman’s terms, DTMF signals are the same frequency as the human voice. In-band signalling protocols are more open to abuse, and a ‘phreaking’ culture grew up almost immediately after DTMF development built around manipulating telephones including DTMF. An example of this was trying to create DTMF signals through the phone to confuse the system and gain access to toll-free calls. Nowadays, phone companies often use out-of-band signalling protocols such as Signalling System 7 (SS7, sometimes referred to as C7) to minimise risk of ‘phreaking’.
Audible feedback is extremely useful to give users direction when they enter a command. However, if private information is transferred via DTMF signals, malicious hackers can intercept the DTMF tones and decipher the numbers, or record the information to analyse later and steal sensitive information. In-band signals should not be used to control critical infrastructure or supply sensitive information.
PCI DSS compliance rules are strict surrounding DTMF signals to prevent private information from being stolen. This includes requiring strong cryptography and security protocols for any over-the-phone payment system to protect consumer information. Typically, this is done by DTMF Masking.
What is DTMF Masking?
DTMF masking substitutes (or masks) unique audible signals or tones with flat ones, which people who hear the DTMF cannot decipher. This masking typically takes place between the caller and contact centre.
The central benefit of DTMF masking is that audible tones cannot be identified by an agent nor by any malicious tools that are seeking to steal the masked information. This reduces the risk to the client and your business.
Implementing DTMF masking also helps you maintain PCI DSS standards. When the major card brands in 2004 created in PCI payment standards, they developed a number of security requirements for over-the-phone card payments to reduce consumer risk. For more information on PCI DSS compliance, read our introductory guide to PCI DSS or our PCI DSS compliance solutions page. In short, though, DTMF masking means your business can take card payments securely by phone, using the same DTMF touch tone technology as was invented decades before. You can do this for as long as your firm remains PCI DSS compliant.
As mentioned above, PCI DSS compliance is essential for your business to have if it wants to take online over-the-phone payments. If you want more information about PCI DSS compliance, get in touch with us about your needs and we will be happy to help.