Module 7: DTMF Masking Explained

For the formal definition see DTMF Masking. This module is the learn-by-doing version.

Taking card payments over the phone exposes contact centres to a hard PCI DSS compliance problem: the moment an agent hears a card number aloud, the digits live in call recordings, in the agent's screen environment, and across the wider network. DTMF masking is the technology that closes that gap.

This guide reflects PCI DSS v4.0.1, the current version of the standard (mandatory since 31 March 2025).

DTMF masking is the technique of hiding a phone's keypad tones — Dual-Tone Multi-Frequency — when a caller types their card number during a payment. The agent and the call recording hear a flat tone in place of the digits, while the digits route straight to the payment processor. Contact centres use it to take card payments by phone without bringing agents and recordings into PCI DSS scope. "DTMF masking" and "DTMF suppression" describe the same technique.

A DTMF masking system sits in the audio path between the caller and the contact centre. When the caller's phone produces the audible tones for "1" through "9" — the Dual-Tone Multi-Frequency signals every modern keypad emits — the masking layer detects them, removes or replaces them in the agent's audio stream, and forwards the digits along a separate secure channel to the payment processor. The two terms DTMF masking and DTMF suppression are used interchangeably in the industry, although suppression strictly means removal and masking strictly means replacement.

What Is DTMF?

Before we explain DTMF masking, it helps to understand DTMF itself. DTMF stands for Dual-Tone Multi-Frequency — it's the technical name for the tones your phone makes when you press the keypad buttons. Each button produces a unique combination of two audio frequencies. Press "1" and your phone sends a specific pair of tones. Press "9" and it sends a different pair. That's how automated phone systems know which option you've selected when you "press 1 for sales" or "press 2 for support."

DTMF has been a standard part of telephony since the 1960s. It's reliable, universal, and works with every phone — landlines, mobiles, VoIP softphones, and everything in between. And it's this universality that makes it the foundation for one of the most effective PCI compliance technologies available: DTMF masking.

If you've read Guide 6: Telephone Payments and PCI DSS, you'll know that taking card payments over the phone creates significant PCI compliance challenges. Agents hear card numbers, call recordings capture them, and your entire contact centre infrastructure ends up in PCI scope. DTMF masking solves all of these problems in one elegant step. It's the core technology behind Paytia's secure telephone payment solution, and in this guide we'll explain exactly how it works.

How DTMF Masking Works — Step by Step

The concept is beautifully simple, even though the engineering behind it is sophisticated. Here's what happens during a DTMF-masked payment call:

Step 1: The agent initiates a payment. During a normal phone call — perhaps the customer is placing an order, renewing a subscription, or making a payment on their account — the agent reaches the point where payment is needed. They initiate a payment session through their screen, which triggers the DTMF masking technology.

Step 2: The customer is prompted to enter card details. The agent asks the customer to enter their card number using their phone keypad. The customer doesn't need to hang up, transfer, or call a different number. They stay on the same line, in the same conversation with the same agent.

Step 3: DTMF tones are intercepted. As the customer presses each digit, the DTMF masking system intercepts the tones before they reach the agent or the call recording system. This interception happens in real time, within milliseconds.

Step 4: Tones are replaced with flat sounds. The original DTMF tones — which would tell a listener exactly which digit was pressed — are replaced with uniform, flat tones. The agent hears a sound for each keypress (so they know the customer is entering data), but every key sounds identical. There's no way to determine which digit was pressed by listening to the masked tone.

Step 5: Real card data is routed to the payment processor. While the agent hears flat tones, the actual card digits are extracted from the original DTMF signals and sent directly to the payment processor via a secure, encrypted channel. The data never passes through the agent's headset, the agent's workstation, the call recording system, or any other part of your infrastructure.

Step 6: The agent sees payment progress, not card data. On the agent's screen, they can typically see that digits are being entered — perhaps represented as asterisks — and the payment status (approved, declined, etc.). They see enough to guide the customer through the process, but never the actual card numbers.

Step 7: The conversation continues normally. Once the payment is processed, the agent and customer continue their conversation without interruption. The entire payment took place within the natural flow of the call.

Why Masking Matters: The Technical Security Argument

The reason DTMF masking is so effective from a PCI perspective comes down to a fundamental principle: if card data never enters your environment, your environment doesn't need to be secured to PCI standards for that data. This is the concept of descoping that we covered in Guide 5, and DTMF masking is one of the most complete forms of descoping available.

Consider what's removed from PCI scope when DTMF masking is in place:

• Agent workstations — the agent never sees card data on their screen, so the workstation isn't processing cardholder data
• Call recordings — only flat tones are recorded, not DTMF signals that could be decoded back to card numbers
• The phone system — whether VoIP or traditional, the system only carries masked tones, not recognisable card data
• The contact centre network — no card data traverses your local network
• Screen recording and monitoring tools — no card data appears on screen to be captured
• The agents themselves — with no access to card data, agent-related PCI requirements (unique IDs, background checks, clean desk policies) are simplified significantly

This level of descoping can dramatically reduce your PCI compliance obligation. As we explained in Guide 4, the SAQ type you need depends on how card data flows through your business. With DTMF masking handling your telephone payments and a hosted payment page handling online payments, you may qualify for SAQ A — the simplest questionnaire with just 22 questions, compared to 326 for SAQ D.

DTMF Masking vs. Pause and Resume

Pause and resume is the other commonly discussed approach to telephone payment security, and it's important to understand how it compares to DTMF masking. The two technologies are often mentioned together, but they are fundamentally different in what they achieve.

How pause and resume works: When a payment is needed, the call recording is paused. The customer then reads their card number aloud to the agent, who enters it into the payment system. Once the payment is processed, the recording resumes. The card data doesn't appear in the recording, but it does pass through every other part of the system.

The critical difference: With pause and resume, the agent still hears the full card number. They still type it into their workstation. The card data still travels through the phone system and the network. The only thing removed from scope is the call recording. Everything else — agents, workstations, phone systems, network infrastructure — remains in full PCI scope.

Here's a direct comparison:

• Agent hears card data? Pause and resume: Yes. DTMF masking: No.
• Card data on agent's screen? Pause and resume: Yes. DTMF masking: No.
• Card data in call recording? Pause and resume: No (if paused correctly). DTMF masking: No.
• Card data on your network? Pause and resume: Yes. DTMF masking: No.
• Phone system in PCI scope? Pause and resume: Yes. DTMF masking: No.
• Agents in PCI scope? Pause and resume: Yes. DTMF masking: No.
• Customer experience disruption? Pause and resume: Yes (silence during payment). DTMF masking: No (conversation continues).
• Descopes the environment? Pause and resume: Partially. DTMF masking: Fully.

There are also practical problems with pause and resume. If an agent forgets to pause the recording, card data is captured. If the pause triggers late or resumes early, data leaks into the recording. Some implementations create an awkward silence for the customer, who doesn't know if the call has dropped. And because agents still hear card numbers, there's always a risk of social engineering or accidental disclosure.

Pause and resume was a reasonable approach when it was first introduced, and it's better than doing nothing. But DTMF masking has made it largely obsolete for businesses serious about PCI compliance and customer experience.

Compatibility and Implementation

One of the practical strengths of DTMF masking is its compatibility. Because DTMF is a universal telephony standard, masking works with virtually any phone the customer might be using — landlines, mobile phones, smartphones, and VoIP handsets. The customer doesn't need to download an app, visit a website, or have any special equipment. They just press the buttons on their existing phone.

On the business side, DTMF masking solutions like Paytia integrate with your existing telephony infrastructure. Whether you're running an on-premises PBX, a cloud contact centre platform, Microsoft Teams, or a simple VoIP system, the masking technology sits in the call path and works transparently. Agents use a simple interface to initiate payments, and the technical complexity is handled behind the scenes.

Implementation is typically straightforward. There's no need to replace your phone system, retrain your agents extensively, or change your payment processor. The masking solution connects to your existing telephony and your existing payment gateway, acting as a secure bridge between the customer and the processor.

Real-World Scenarios

To make this concrete, here are some typical situations where DTMF masking makes a meaningful difference:

A local council takes council tax payments over the phone. With hundreds of agents and millions of calls recorded for dispute resolution, storing card data in recordings would create an enormous PCI burden. DTMF masking removes card data from the equation entirely.

A travel company processes holiday bookings over the phone, often handling high-value transactions. Agents need to stay on the line to discuss itineraries and add extras. DTMF masking lets the payment happen during the conversation without forcing an awkward pause or transfer.

A healthcare provider collects payments for private consultations. Patients call from public places — waiting rooms, coffee shops, even public transport. With DTMF masking, they never need to read their card number aloud where others might hear.

A financial services firm is required by the FCA to record all calls. They can't use pause and resume because the regulator requires a complete recording. DTMF masking solves both problems: the call is fully recorded, but the recording contains only flat tones instead of card data.

Key Takeaways

• DTMF masking intercepts phone keypad tones and replaces them with uniform flat sounds, so agents hear keypresses but can't identify which digits were entered
• Card data is routed directly to the payment processor without passing through agents, call recordings, workstations, or your network infrastructure
• DTMF masking fully descopes your telephone payment environment from PCI DSS — agents, recordings, phone systems, and networks are all taken out of scope
• Pause and resume only addresses call recordings — agents still hear and handle card data, keeping workstations, phone systems, and networks in full PCI scope
• The technology works with any phone — customers press keypad buttons on their existing handset, with no apps or special equipment needed
• Implementation integrates with existing systems — no need to replace your phone system, retrain agents, or switch payment processors
• DTMF masking is the gold standard for telephone payment security and the core technology behind Paytia's secure payment solution