Every time a customer hands over their card details, whether online, over the phone or in person, a chain of security technologies springs into action. These systems work quietly in the background to stop fraud, protect sensitive data and keep businesses on the right side of the law.
But for many business owners, payment security feels like an alphabet soup of acronyms: CVV, PAN, tokenisation, 3D Secure, PCI DSS. It is hard to know what matters, what applies to your situation or where the real risks lie.
This guide cuts through the jargon. We will walk through each major payment security technology, explain what it does and why it exists, and show how they all fit together to protect both your customers and your business.
Why Payment Security Matters
Payment fraud is not a niche problem. According to UK Finance, card fraud losses in the United Kingdom totalled over 500 million pounds in 2023 alone. And the cost of a data breach goes far beyond the stolen funds themselves.
When card data is compromised, businesses face:
- Direct financial losses from fraudulent transactions and chargebacks
- Regulatory fines for failing to meet PCI DSS requirements, which can reach hundreds of thousands of pounds
- Reputational damage that drives customers to competitors, often permanently
- Operational disruption from forensic investigations, system rebuilds and legal proceedings
The businesses most at risk are often the ones that assume they are too small to be a target. In reality, attackers frequently go after smaller organisations precisely because their defences tend to be weaker.
Understanding the tools available to protect card data is the first step towards reducing that risk. Let us start with the most familiar one.
CVV, CVC and CV2: The Three-Digit Safety Net
The CVV (Card Verification Value) is the short numeric code printed on a payment card, typically on the back. Different card networks use different names for essentially the same thing: Visa calls it CVV2, Mastercard uses CVC2, and American Express prints a four-digit code on the front called CID. In everyday conversation, people tend to use CVV, CVC or card security code interchangeably.
What the CVV Actually Does
The CVV exists to prove that the person making a payment has the physical card in their possession. When you buy something online or give your card details over the phone, the merchant asks for the CVV to confirm it is not just someone who has stolen or guessed your card number.
This is particularly important for what the industry calls card-not-present (CNP) transactions, where the merchant cannot physically inspect the card. Online shopping, telephone orders and mail orders all fall into this category, and they account for the vast majority of card fraud.
Limitations of the CVV
The CVV is a useful first line of defence, but it has clear limitations. If a fraudster obtains both the card number and the CVV, perhaps through a phishing attack or by physically copying the card, the protection falls away. That is why the CVV is always used alongside other security measures, never on its own.
Critically, PCI DSS rules forbid merchants from storing CVV data after a transaction is authorised. If you find that your business is holding onto CVV numbers, you have a compliance problem that needs addressing immediately.
PAN and Cardholder Data: What Needs Protecting
The PAN (Primary Account Number) is the long number on the front of a payment card, usually 16 digits for Visa and Mastercard. Together with the cardholder name, expiry date and CVV, it forms what PCI DSS defines as cardholder data.
Any system that stores, processes or transmits cardholder data falls within the scope of PCI DSS. The more systems that touch this data, the larger your compliance burden becomes, and the more places an attacker could potentially exploit.
The Principle of Least Exposure
The smartest approach to protecting card data is straightforward: keep it out of your environment altogether. If the PAN never enters your network, your servers never store it, and your staff never see it, then those systems are out of scope for PCI DSS. This principle is the driving force behind several of the technologies covered in this guide, including tokenisation, DTMF masking and channel separation.
Tokenisation: Replacing Card Data With Tokens
Tokenisation is the process of swapping sensitive card data for a unique, randomly generated reference called a token. The token looks nothing like the original card number and is useless to anyone who intercepts it.
How Tokenisation Works
When a customer makes a payment, their card details are captured and sent to a secure token vault, usually operated by the payment processor. The vault stores the real card data and returns a token to the merchant. From that point on, the merchant uses the token for any future transactions, refunds or lookups.
The token can only be converted back to the original card number inside the secure vault. Even if a hacker breaches the merchant's database, all they find is a collection of meaningless tokens.
Why Tokenisation Matters for Recurring Payments
Tokenisation is especially valuable for businesses that process recurring payments. Instead of storing real card details to charge customers each month, the business stores tokens. This dramatically reduces both the risk and the PCI DSS compliance scope.
Tokenisation vs Encryption
People sometimes confuse tokenisation with encryption, but they are fundamentally different. Encryption transforms data using a mathematical algorithm and a key. If someone obtains the key, they can reverse the process and access the original data. Tokenisation has no mathematical relationship between the token and the original data. There is no key to steal because no key exists.
3D Secure and Strong Customer Authentication
3D Secure is an authentication protocol designed to add an extra verification step during online card payments. The original version (3D Secure 1.0) was widely disliked for its clunky pop-up windows and high rates of cart abandonment. The current version, 3D Secure 2, is a significant improvement.
How 3D Secure 2 Works
When a customer makes an online payment, the merchant's payment system sends a range of data points to the card issuer, including the device being used, the customer's location, transaction history and more. The issuer's system analyses this data in real time to assess the risk of the transaction.
If the risk is judged to be low, the transaction is approved silently in the background. The customer may not even realise authentication has taken place. If the risk is higher, the customer is asked to verify their identity, typically through a one-time passcode sent to their phone, biometric authentication in their banking app, or a similar method.
Strong Customer Authentication (SCA)
In the UK and Europe, 3D Secure is closely tied to Strong Customer Authentication requirements under the Payment Services Regulations 2017 (the UK's version of PSD2). SCA requires that electronic payments are authenticated using at least two of three factors:
- Something the customer knows (a password or PIN)
- Something the customer has (a phone or card)
- Something the customer is (a fingerprint or face)
3D Secure 2 is the main mechanism through which online card payments meet SCA requirements. Businesses that do not support it risk having transactions declined by the card issuer.
DTMF Masking: Securing Telephone Payments
All of the technologies discussed so far primarily address online payments. But what about payments taken over the phone? This is where DTMF masking comes in.
When a customer keys their card number into a telephone keypad during a call, each key press generates a distinct tone known as a DTMF (Dual-Tone Multi-Frequency) signal. These tones can be recorded in call recordings, intercepted in transit or overheard by the agent on the line. Any of these scenarios represents a data breach waiting to happen.
How DTMF Masking Works
A DTMF suppression system sits between the caller and the contact centre. When the customer enters their card details via the keypad, the system intercepts the tones and replaces them with flat, uniform sounds before they reach the agent or any call recording system.
The real card data is routed directly to the payment processor through a secure, separate channel. The agent stays on the line throughout, able to guide the customer through the process, but never hears or sees the actual card numbers.
Why This Approach Works
DTMF masking solves a problem that has plagued telephone payment operations for years: the conflict between providing a good customer experience and keeping card data secure. The customer does not need to read their card number aloud, the agent does not need to pause the call recording, and the business does not need to store card data in its telephony systems.
This technology is particularly important for organisations that handle sensitive payment calls, including utilities, local authorities, insurance companies and any business with a telephone payment line.
Channel Separation: The Alternative Approach
Channel separation takes a different approach to the same problem. Rather than masking the card data within the phone call, it moves the payment process onto a completely separate channel.
How Channel Separation Works
During a telephone conversation, when it is time to take payment, the agent sends the customer a secure payment link, typically via SMS or email. The customer completes the payment on their own device, entering their card details into a secure web form that connects directly to the payment processor. The voice call continues in parallel, so the agent can assist if needed.
Because the card data travels through a completely separate channel that never touches the contact centre infrastructure, the entire telephony environment is taken out of PCI DSS scope.
DTMF Masking vs Channel Separation
Both approaches achieve the same fundamental goal: keeping card data out of the contact centre. The right choice depends on the business context:
- DTMF masking keeps the entire interaction within a single phone call, which suits customers who prefer not to switch devices or who may not have a smartphone to hand
- Channel separation offers a visual payment experience and supports 3D Secure authentication natively, which can be advantageous for higher-value transactions
Many organisations use both methods, offering whichever suits the customer and the situation. Take a look at our product tour to see how these solutions work in practice.
How These Technologies Work Together
No single technology can protect every payment scenario on its own. The real strength of modern payment security lies in how these tools layer together.
Consider a typical telephone payment handled with DTMF masking:
- The customer calls and the agent helps them with their query
- When it is time to pay, the DTMF masking system activates
- The customer keys in their PAN and CVV via the telephone keypad
- The DTMF tones are suppressed so the agent and recordings cannot capture them
- The card data is sent securely to the payment processor
- The processor uses tokenisation to store a token for future reference
- If it is an online-initiated payment, 3D Secure authentication may be triggered
- The transaction is approved, and the business stores only the token, never the actual card data
Or consider a channel separation scenario with an online element:
- The agent sends a secure payment link during the call
- The customer opens the link and enters their card details on a secure form
- 3D Secure 2 authentication is triggered, and the customer verifies with their banking app
- The payment processor captures the card data and returns a token
- The contact centre never touches any cardholder data
Each technology handles a different part of the security chain. The CVV proves card possession. DTMF masking or channel separation keeps the data out of the wrong hands. Tokenisation ensures nothing sensitive is stored. And 3D Secure adds an authentication layer that confirms the customer's identity.
What Businesses Should Do to Protect Card Data
Understanding these technologies is important, but the practical question remains: what should your business actually do? Here is a clear set of actions.
1. Map Your Card Data Flows
Before you can protect card data, you need to know where it goes. Trace every path that cardholder data takes through your organisation: online payment forms, telephone systems, databases, email, paper records and any third-party integrations.
2. Reduce Your PCI Scope
Wherever possible, stop card data from entering your environment. Use tokenisation for stored payment references. Use DTMF masking or channel separation for telephone payments. Use hosted payment pages for online transactions. The less data you handle, the less you have to protect.
3. Choose the Right Telephone Payment Solution
If your business takes payments over the phone, this is likely your biggest area of risk. Agents hearing, seeing or recording card numbers is a compliance failure. Implementing DTMF suppression or channel separation eliminates this risk at source.
4. Keep 3D Secure Enabled
For online payments, ensure your payment gateway supports 3D Secure 2. Not only does this meet SCA requirements, but it also shifts fraud liability to the card issuer for authenticated transactions. Disabling 3D Secure to reduce checkout friction is a false economy.
5. Never Store CVV Data
This is non-negotiable under PCI DSS. If your systems are storing CVV numbers after authorisation, you are in breach. Check your databases, call recordings and any paper-based processes.
6. Train Your Staff
Technology alone is not enough. Staff need to understand why they must not write down card numbers, why call recording must be handled carefully and what to do if they suspect a data breach. Regular training keeps security front of mind.
7. Work With PCI-Compliant Providers
Every third party that touches your payment data extends your risk. Ensure your payment processor, telephony provider and any other partners hold current PCI DSS certification. Ask for proof and check it annually.
Frequently Asked Questions
What is the difference between CVV, CVC and CV2?
They are all names for the same thing: the short security code on a payment card. CVV is the term used by Visa, CVC by Mastercard and CV2 is a commonly used generic term in the UK. The code serves the same purpose regardless of what it is called.
Is tokenisation the same as encryption?
No. Tokenisation replaces card data with a random token that has no mathematical link to the original. Encryption uses an algorithm and key to scramble the data, which can be reversed if the key is obtained. Tokenisation is generally considered more secure for payment data storage because there is no key to compromise.
Do I need 3D Secure for telephone payments?
3D Secure is designed for online card payments and does not apply to traditional telephone payment transactions. However, if you use channel separation to send a payment link during a call, the customer completes the payment online and 3D Secure authentication can apply.
What is DTMF masking and why does it matter?
DTMF masking replaces the tones generated by telephone keypad presses with flat sounds, preventing card numbers from being captured in call recordings or overheard by agents. It matters because without it, telephone payment operations are extremely difficult to make PCI DSS compliant.
Can I be PCI compliant without these technologies?
Technically, yes, but practically it is very difficult and expensive. Without tokenisation, DTMF masking or similar descoping technologies, your entire payment environment stays in scope for PCI DSS, meaning far more systems to audit, secure and maintain. Most businesses find it far simpler and cheaper to adopt these technologies than to try to comply without them.
What is channel separation?
Channel separation moves the payment onto a different channel, such as a secure web link, during a telephone call. The card data never enters the telephony system, which removes the contact centre from PCI DSS scope entirely.
How do I choose between DTMF masking and channel separation?
Consider your customers and your operation. DTMF masking keeps everything within a single phone call, which is simpler for customers who are not comfortable switching devices. Channel separation provides a visual payment form and supports 3D Secure. Many businesses offer both options.