PCI-DSS compliance

TIM Plus/Enterprise offers the ability to obfuscate (mask out) one or more sections of the audio of a telephone call with an audible tone, preventing the listener from hearing the original speech, on playback

This is normally required for compliance in certain industries where regulations dictate that certain spoken information be masked out, e.g. the Payment Card Industry - Data Security Standard (PCI-DSS).

In this example, we will adopt the PCI-DSS example where telephone calls that contain spoken credit card information needs to be masked out by an audible tone, but only during those parts of the call when the card details are being spoken, leaving intact the rest of the call audio.

In this scenario, we'll assume that agents (employees that make or receive telephone calls) utilise an in-house or third-party data entry system into which credit card detailed are entered using a computer.


How it works

Considering Echo records the call audio at strategic boundaries in your telecom infrastructure - either your organisation's telephone lines, or each user's telephone handset - some reconciliation is normally required between those boundaries and the actual agent that handled the call.

By default, this reconciliation occurs automatically in either TIM Plus or TIM Enterprise, which is how the agent-centric calls that you see in call reports are able to be associated (matched) with each call, as seen from the point of view of a telephone line which delivers calls to many agents.

During obfuscation, it is necessary that a user or device sends at least two signals to either TIM Plus or TIM Enterprise. Together, these two signals allow either TIM Plus or TIM Enterprise to mask out the audio between the two points in time that each signal was received.

obfuscation

At the point in time during an agent's call when obfuscation is necessary - e.g. "Can I have your CVV number please?" is spoken by the agent - a signal is sent by the agents screen to either TIM Plus or TIM Enterprise, which records the event along with the exact time it was sent. Similarly, when the sensitive part of the call has completed, a further signal is sent by the agent to either TIM Plus or TIM Enterprise, which is also being recorded.

A single telephone call can contain more than one obfuscation and the number of signals required is always twice the amount of obfuscations in a call.


Assumptions

The example above assumes the following:

  • You have a licensed copy of TIM Plus or Enterprise
  • You have an Echo license for PRI/BRI/Analogue or SIP with Magic boxes installed where required


Common Solutions

Taking the example of masking out some digits of a phone call when a credit card number is being quoted, most solution providers modify the data entry system that an agent uses.