Contact centers are dynamic environments. Staff are under pressure to maintain customer contact while navigating complex systems and complying with PCI DSS in card-not-present (CNP) payments only adds to the challenge.

Card data is generally provided into the voice-based payments in two forms – as spoken numbers or as voiced words generated by telephone keypad input, known as Dual-Tone Multi-Frequency or DTMF. This technology is also used in interactive customer experiences such as interactive voice response (IVR) as a way to navigate sites.

DTMF Masking Solution

DTMF based payments in the contact center

Every Sycurio payment transaction is fully PCI compliant. With your agents and systems completely shielded from payment card data, your PCI DSS compliance obligations become minimal.


What is in scope? PCI DSS guidance on DTMF and call recording in the contact center

According to the PCI Security Standards Council’s Protecting Telephone-Based Payments Special Interest Group information supplement, all elements of the phone infrastructure and cardholder data environment (CDE) that transmit, route, transfer, process, or store (even in a temporary cache) card holder data (CHD) and secure authentication data (SAD) are in scope for PCI DSS – unless appropriate DTMF masking or suppression solutions are in place.

Contact center phone payment components in-scope for PCI DSS

PCI DSS In Scope

Contact center phone payment components out-of-scope for PCI DSS using Sycurio's DTMF masking solution

PCI DSS Out of Scope

PCI DSS Version 4.0 (Requirement 12.5) doesn’t extend the scope but does reinforce the requirements to fully understand and document third-party system providers (TPSP) nested inside or connected to the client ‘cloud-based services’ and apply appropriate controls.

By way of an example, it includes Contact Center as a Service (CCaaS), Unified Communications as a Service (UCaaS), CRM, IVRs and call recording systems. You may have a wide range of components to identify and control, given that the payment data flow passes through the telephone infrastructure and the nested elements of other solutions.


Remote workers, their devices and networks, and home environments need special consideration.

If they are exposed to unmasked or unsuppressed DTMF that contains CHD and SAD, they are considered within the CDE and therefore in-scope.

The PCI SSC recommendation is to implement...


A properly designed and deployed DTMF-masking solution that can take not only the telephony environment, but also the agent environment and CRM system out of scope. Entities should avoid solutions that leave agent environments in scope unless there is an unavoidable business requirement to do so.

Sycurio DTMF masking for phone payments.

Sycurio’s DTMF masking technologies are proven to be a highly effective and PCI DSS compliant solution for securing phone payments, on a global scale. Our solutions are recognized by top PCI QSAs and independent security assessors as the best method of blocking payment card information and avoiding data leakage or ‘DTMF bleed’ in call recordings.

For more information about DTMF masking in your contact center read our factsheet.


Speak to an expert.