How DTMF Masking helps with PCI Compliance

Dual-tone Multi-Frequency (DTMF) masking is quickly becoming the call centre industry standard to securely capture and mask sensitive cardholder data during agent assisted payment transactions.

DTMF technology enables call centres to eliminate challenges associated with verbally collecting credit card data from a customer over the telephone.

Call Centre use of DTMF Masking

In the call centre, DTMF masking is a technology that allows customers to provide their credit card number during an agent assisted call using their telephone keypad. 

Personally Identifiable Information (PII) such as a credit card number, Social Insurance Number, date of birth, and PIN can all be entered securely through the phone system. With DTMF technology, customers enter information on their telephone keypad in lieu of verbalizing the information to the call centre agent.

In addition to providing customers a sense of security not having to verbalize their sensitive information, DTMF masking technology also allows the customer and agent to remain connected through the entire call process leading to increased customer satisfaction and lower call handling times.

Instead of providing credit card information verbally to a call centre agent, customers enter the digits of the credit cards during a call or via an automated IVR system and complete the transaction securely in real time. The Ivrnet Telepay software deciphers the tones and processes the payment information with the call centre agent removed from the process of capturing credit card information. All the call centre agent sees are masked digits on their desktop so that they can see the information is being entered but won’t see the actual credit card numbers being entered. This process is much more secure as agents no longer see, hear or process customer credit card information.

What is DTMF masking?

DTMF masking involves intercepting substituting (masking) the unique audible tones with flat tones so that people who hear the DTMF data cannot decipher the numbers.

The masking software usually sits between the caller and the call centre system and converts the DTMF tones to flat tones.

The key benefit of DTMF masking is that the audible tones are not identifiable either by the agent, or any malicious software or tools that may intercept or interpret the DTMF tones. They are converted to flat tones that have been ‘masked’ to appear the same, this removes the risk of that data being stolen and used for criminal purposes. Thereby reducing businesses fraud and financial exposure.

PCI DSS Compliance and DTMF masking

The Payment Card Industry Data Security Standard (PCI DSS) has been in existence for over 10 years and mandates 12 requirements for storing, processing and transmitting credit card and payment related data.

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes.
  • Requirement 12: Maintain a policy that addresses information security for all personnel.

As you can see, as many as four of those requirements have to do with the cardholder data with requirements to protect, encrypt and restrict access to cardholder data.

How can DTMF masking technology aid call centres with PCI DSS compliance and descoping efforts? 

DTMF masking applies specifically to PCI DSS standard three; Protecting Cardholder Data. In the call centre environment DTMF masking makes it possible to:

  • Reduce amount of systems sensitive data traverses in the network
  • Remove agent workstations from PCI scope as sensitive cardholder data is neither captured on nor recorded from an agent’s desktop
  • Minimize risk by eliminating the need for “pause and resume” and scrubbing recordings
  • Allow for complete call recording for quality control purposes as cardholder data is not verbally captured

The power of DTMF masking in agent assisted payment transactions is that the sensitive cardholder data is not seen, heard, nor recorded; effectively protecting cardholder data and assisting with PCI DSS compliance initiatives.

Ivrnet’s Telepay over-the-phone payment solution includes DTMF masking as just one of its many innovative features. All these features significantly reduce your PCI DSS scope, risk of breaches and fraud.

Ivrnet is in the business of helping businesses protect their data and achieve security compliance (PCI DSS) while improving the customer experience.  If you wish to speak to a member of our team about Telepay and our DTMF Masking technology, request a demo or email us at


PCI Compliance Requirements for Businesses of All Sizes

PCI Compliance applies to ANY organization, regardless or number of transactions, that that accepts, processes or stores any credit card data. Following PCI compliance standards is the best way to protect your customer data and avoid any fees associated with PCI compliance violations.
Read More »
We use cookies to ensure that we give you the best experience on our website. You can consent to the use of such technologies by closing this notice or by continuing to browse otherwise.