1. Field
The disclosure relates generally to a telephone call processing system and a method of processing telephone calls, and in particular to systems and methods that facilitate secure transmission of sensitive information during a call between a caller and an agent such that the agent cannot receive the sensitive information.
2. Background
Call centres are typically large facilities of telephone operators or ‘agents’. These centres are provided by organizations that want to interact with existing or prospective clients and customers. A call centre agent normally interacts with a client or customer by taking or making telephone calls. It is common practice for the call centres to record client conversations, and for information taken during the call to be entered into and stored in the agent's computer.
One use of call centres is to provide services to the public that allow payment for goods and services via telephone calls. Each year, millions of people make purchases through agents in telephone call centres, often including high value transactions. For example, family holidays and financial products are often purchased over the telephone. In these transactions, the caller is required by the agent to provide certain pieces of sensitive information in order to confirm his or her identity and/or to complete the purchase. In particular, the sensitive information can include one or more answers to security questions, a password, a date of birth, one or more bank account numbers, and debit or credit card details including the primary account number (PAN), start date, expiry date, and the card security code (e.g. CV2).
It is an unfortunate fact of life that wherever people have access to sensitive information, it will be misused. Data and card fraud perpetrated by call centre agents, as well as fraudulent financial transactions are well-documented problems that need to be addressed. By divulging identity and/or financial information to an agent for processing a transaction through a call centre, a caller puts themselves at risk of having that information stolen by the agent and used for nefarious purposes. Other threats exist from hackers gaining access to an agent's computer or a call centre network, or eavesdroppers intercepting a call to an agent. Thus, data stored in call recordings, or sent by a caller to an agent may also be at risk from theft by third parties. In order for the industry to flourish, it is essential that clients and customers calling a call centre are able to trust that their sensitive information is not at risk.
To address card fraud, the payment card industry established a number of data security standards. One example is the Payment Card Industry (PCI) Data Security Standard (DSS) which provides periodically updated guidelines for the processing and storage of credit card data. In particular, the PCI-DSS specifies the ways in which companies that handle credit card data (including telephone-based credit card transactions) are permitted to store information. All merchants, globally, are expected to comply with the PCI-DSS, and so these regulations have a direct impact on call centres that receive sensitive information during telephone calls.
Several known systems exist to allow call centre agents to take debit or credit card payments over the phone without the caller having to read out sensitive card details (e.g. primary account number (PAN), start date, expiry date, the card security code (e.g. CV2)) to the agent directly. These systems typically require the caller to enter the card details using a ‘touch-tone’ keypad, which encodes the details using dual-tone multi-frequency (DTMF) signalling. DTMF has been established for decades and, as would be familiar to a skilled person, can be used to communicate alphanumeric characters through a telephone audio channel during a phone call. The DTMF tones used to encode the caller's card details can then be decoded by a call processor and transmitted to a payment processing system.
DTMF offers a basic level of security that represents a significant improvement over a caller speaking his or her card details to the agent. However, it is a long way from assuring customers that their sensitive information is not at risk. DTMF is easily decoded by conventional and readily available systems. Accordingly, a determined agent or third party would even be able to steal card details transmitted by DTMF, simply by obtaining or copying the signal that is recorded and stored by the call centre and then by employing a DTMF decoder offline to reveal the digits. Thus, the use of DTMF alone was quickly found to be insufficient for establishing a robust data security system.
There is an exemplary DTMF system of the kind described above that is particularly convenient to implement, and also provides improved security for the user. It just so happens that the equipment used to process phone signals with DTMF tones is routinely required when converting a phone signal from Time Division Multiplex (TDM) to Voice over IP (VoIP). TDM signals are conventional for telephony, but VoIP systems are often preferred because of their ability to implement high compression codecs to reduce the bandwidth requirement (and thereby to reduce network costs). However, because the VoIP codecs are designed to optimise voice compression, they do not satisfactorily encode DTMF tones. This leads to erroneous decoding of the DTMF tones from VoIP signals.
The Internet Engineering Task Force (IETF) document RFC-2833 describes a solution to the above-mentioned problem. This solution is known as ‘DTMF clamping’, and works by removing the in-band DTMF tones from the original signal and replacing them with an out-of-band data signal. By the early 2000s many manufacturers of VoIP gateways had commercialised a DTMF clamping function as a standard feature.
In recent years, owing to the prevalence of VoIP gateways with DTMF clamping, a technician devising a PCI-DSS compliant system for call centre is provided with a straightforward solution: all that is required to prevent card details entered by a caller using a touch-tone keypad from reaching the agent is to situate a VoIP gateway with DTMF clamping upstream of the agent. The card details would be provided by the VoIP gateway as an out-of-band data signal, which could be transmitted to a payment processing system. FIG. 1 shows a representation of such a system, in which a call from a caller 100 is processed in a call processor 102 having a VoIP gateway capable of DTMF clamping. The in-band DTMF tones representing the card details are replaced with an out-of-band data signal which is sent to a third party 104 (e.g., a bank). The voice signals are converted to VoIP and sent to the agent 106.
However, there is a significant problem with DTMF clamping. While clamping may mitigate theft of sensitive information transmitted using the tones, it also prevents them from being used for any other purpose. In particular, it is commonplace for call centres to use interactive voice response (IVR) systems, for example to enable a user to navigate through one or more menus using a ‘touch-tone’ keypad. DTMF clamping can prevents this functionality because the IVR system would be prevented from receiving the DTMF tones.
WO 2011/117573 discloses a solution that prevents theft of DTMF from recorded and stored signals while enabling use of an IVR system. A simplified representation of the solution is shown in FIG. 2. The illustrated call processor 202 operates by splitting the incoming signal from the caller 200 into first and second versions 204a, 204b. One of the versions 204a of the incoming signal is directed to a call recorder 206 and is to be recorded and stored by the call centre. All DTMF tones are removed from this version 204a of the signal using conventional sensing and filtering techniques. Thus, the recorded and stored signal in the call recorder 206 lacks any tones representing sensitive information, which cannot thus be stolen. The other version 204b of the signal is sent to the agent 212 for processing as usual, and may be routed through an IVR 210.
Although mitigating the risk of theft of sensitive information from recorded and stored signals, the solution disclosed in WO 2011/117573 still permits the agent to hear the DTMF tones. Thus, a particularly determined agent or third party may make his or her own recording of the DTMF tones for decoding offline. This has become more prevalent with the near ubiquity of digital recording devices such as smart phones, which would facilitate such a crime.
WO 2009/136163 proposes a refinement to the DTMF clamping technique. Faced with a situation in which DTMF tones must be transmitted some of the time (e.g. for IVR) but must not at others (i.e. to prevent theft by an agent), the refinement proposed by WO 2009/136163 is effectively to turn the DTMF clamping functionality on and off as necessary. Specifically, this document describes a telephone call processor with the capability to be switched between two modes: “normal” and “safe”. In ‘safe mode’ any DTMF tones are removed from the original signal while the voice component is allowed to pass to the agent (to allow conversation between the caller and agent to be maintained at all times). ‘Safe mode’ is used when the caller is transmitting sensitive information. In ‘normal mode’ both the voice component and the DTMF tones are allowed to pass to the agent/IVR system.
However, all of the solutions devised thus far remain flawed and exhibit a latent security risk which appears not to have been appreciated. The present inventors have observed that when some callers (particularly the elderly) are entering sensitive information using a touch-tone keypad, they have a tendency to vocalise the digits as they press the associated key. Because voice signals are allowed to pass through a DTMF clamping system as well as the systems described in WO 2009/136163 and WO 2011/117573, there remains a risk that the agent or third party will hear the sensitive information and it will be recorded by a call recorder.
A second security risk remains in state of the art systems owing to a deficiency in DTMF clamping and other DTMF blocking or masking systems. Such systems must first detect that a DTMF tone is present before they can remove it from the signal. Inevitably there is a delay between the beginning of the tone and the point at which it is removed due to the complexity of the recognition routines. Accordingly, even where systems are provided for removing DTMF from a signal, a detectable amount is likely to pass through.
In view of the above there remains a need to provide an improved system and method for secure transmission of data signals.