DTMF stands for Dual-Tone Multi-Frequency, the technical standard behind the tones you hear when pressing keys on a telephone keypad. Each key press generates a unique combination of two audio frequencies — one from a high-frequency group and one from a low-frequency group — which the telephone network decodes to identify the digit pressed. DTMF replaced the older pulse dialling system decades ago and remains the foundation of telephone-based input, from navigating automated phone menus to entering PINs and account numbers.
In the payments industry, DTMF has taken on a specialised and critical role: enabling secure card payment capture during telephone calls. When a customer needs to pay over the phone, DTMF masking (also called DTMF suppression or DTMF clamping) allows the caller to key their card number directly on their phone’s keypad while the tones are intercepted and stripped from the audio stream before they reach the contact centre agent or call recording system. The agent hears flat tones or silence instead of the distinctive key-press sounds, and the call recording captures no card data. The digits are routed securely to the payment processor, and the transaction is completed without any cardholder data entering the contact centre environment.
This technique is fundamental to PCI DSS compliance for telephone payments. Without DTMF masking, any call centre that takes card payments over the phone brings its entire telephony infrastructure, call recording systems, and agent workstations into PCI scope — requiring costly security controls, regular audits, and significant operational restrictions. DTMF masking removes cardholder data from the contact centre environment entirely, dramatically reducing PCI scope and the associated compliance burden.
Shuttle Global’s Voice Checkout product is built on DTMF masking technology. When a platform’s contact centre agent needs to collect a payment during a call, Shuttle’s integration with Twilio and other telephony providers intercepts the caller’s key presses, securely captures the card data within Shuttle’s PCI DSS Level 1 certified environment, and processes the payment through the appropriate PSP — all while the agent remains on the line but never hears or sees the card number. This approach keeps the platform and its contact centre completely out of PCI scope for card data, turning what would otherwise be a major compliance project into a simple API integration.