November 20, 2023
It seems simple enough. A patient makes a payment to your organization over the phone. Using the phone keypad, they provide their credit, debit, or ACH details. Your system captures the data, and the payment is processed. But without precautions, this simple act can leave your organization and your patients’ sensitive payment information vulnerable to criminals.
PCI Compliance and Touchtone Payments
Payments made by phone are integral for most healthcare organizations. Considered a card-not-present (CNP) transaction, they also present challenges. Unlike eCommerce or in-person transactions that are immediately encrypted and sent through a secure payment gateway, touchtone phone payments have an extra vulnerability.
Touchtone technology converts each individual phone key into two tones of a specific frequency. These tones are collectively referred to as Dual-Tone Multi-Frequency or DTMF. Representing less risk than verbally shared payment information, DTMF can still be easily decoded. Recording or storing this data within your infrastructure also puts you within scope of the Payment Card Industry Data Security Standard (PCI-DSS). These rigorous security standards were put in place specifically to protect payment account data. They apply to any organization that stores, processes and/or transmits cardholder data.
Remain Out of PCI Scope
Whether accepting touchtone payments during a call with a live agent or through an IVR system, DTMF masking can minimize risk. This solution intercepts the data as it is entered. Identifiable tones are stripped out. Live agents can no longer hear the tones and associated data cannot be recorded or stored.
DTMF masking works by intercepting sensitive payment information before your agents or your systems are exposed. Instead the information is routed to a PCI-DSS compliant third-party. While the tones are flattened or replaced, the payment information is tokenized and sent through the payment gateway. The payment is processed and transaction responses are updated in the billing or customer relationship management (CRM) system in real time. Payment account data bypasses your network completely to help your organization remain out of PCI scope.
A Seamless Payment Experience
There is no disruption to the payment experience for patients. They enter information just as they have in the past. DTMF masking occurs in the background. Live agents can monitor the progression of the transaction and assist as needed, without exposure to payment specifics. IVR systems continue to operate efficiently to provide patients with the self-service they desire and the security they expect.
Minimize the Risk
Card not present (CNP) transactions are currently the most common type of credit card fraud worldwide—costing billions in losses annually. Hackers and other bad actors are becoming increasingly sophisticated in their efforts to exploit CNP vulnerabilities. Protecting phone payments with DTMF masking safeguards necessary business transactions without sacrificing time or convenience for callers. It also reassures your providers—and their patients—that payment processes are PCI compliant.