FIELD OF THE INVENTION This application relates to a system and method for processing audio communications comprising telecommunication signalling, in particular the partitioning of telecommunication signalling, such as dual-tone multi-frequency (DTMF) signalling, and the facilitation of a link between the partitioned telecommunication signalling and a session environment whilst preventing the bridging of the DTMF or other telecommunication signalling signals in the audio communications.

BACKGROUND OF THE INVENTION

Many businesses use telephone calls and call centres as a means for doing business with customers. In these telephone calls, the customer typically speaks to an individual user known as a call agent, who is employed by the business or company. At some points during these telephone calls, it may be necessary for the customer to provide the agent with sensitive or private data in order for the customer to do business or complete a transaction with the company. This sensitive data may take many forms, for example identification data such as one or more characters from a password or phrase, or other identifying number, payment details such as payment card or bank account details, or other sensitive authentication data.

It is known for the customer to supply this sensitive data verbally, however there are a number of drawbacks with such approaches. For example, the agent may incorrectly hear the character spoken by the customer leading to an incorrect entry of data, or the agent may record the sensitive data for later use. If the agent is untrustworthy, then this sensitive data may be subsequently used for dishonest practices. Even if the agent is trustworthy and the data has been captured or recorded for legitimate further processing, care must be taken to ensure that the requirements of data protection regulations are met in the handling of such records of the customer's sensitive data.

Some telephone systems may be arranged to use telecommunication signalling, such as in-band or out-of-band signalling, in order to exchange this sensitive data. For example, dual-tone multi-frequency (DTMF) signalling may be used to enter the data character by character using the keys on the customer's telephone handset to cause the sensitive data to be sent to the company in an encoded form. Automated systems at the company may then be configured to receive and decode this DTMF signalling for further processing.

Because DTMF signalling is in-band, the agent will be able to hear the data being transferred and, whilst the agent may not be able to immediately understand the content of data being transmitted, it is possible that an untrustworthy agent may utilise their own decoder for decoding the transmitted signalling data or alternatively may record the in-band signalling tones for later decoding. Moreover, companies typically record at least a subset of such calls for quality control, employee training etc. and thus care is needed in order to remove DTMF signalling or other private data from that being recorded in the company archives.

Aimed at addressing some of these drawbacks, GB2473376 relates to a system for switching between a normal mode and a safe mode. In such a system, it is often necessary to provide additional equipment on the top of existing equipment or

infrastructure in-house at the company call centre, or at a third party provider, in order to handle the routing in the safe mode wherein the voice data is passed between the customer and the agent, but any DTMF signalling is filtered out so that it is blocked from being passed through the agent and instead is routed via a different channel. The DTMF data is then encrypted before being routed to a data processing module and/or an external system.

Such a system may be considered to complicate the processing of signalling or transaction data by requiring the agent to ensure that the system is in the required safe mode at the correct point in time of each telephone call. In some situations, the agent may accidentally or deliberately fail to enable the safe mode and accordingly the customer may not be able to know with confidence whether the system is in the normal mode or the safe mode at any one given moment in time. Moreover, since the sensitive data must be handled by interconnections between company systems, it is important that these systems continually comply with the relevant industry data protection standards, such as the Payment Card Industry Data Security Standards (PCI-DSS) for card payments and the Information Commissioner's Office (ICO) for public interest information rights.

Therefore, we have appreciated that it would be desirable to provide an improved system for handling business communications involving telecommunication signalling of sensitive data from a customer to an agent of the company in question that addresses the above drawbacks, whilst integrating legacy Public Switched Telephone Networks (PSTNs) with the digital applications and technologies that are pursued by businesses to date.

SUMMARY OF THE INVENTION

The invention is defined in the independent claims to which reference should now be directed. Advantageous features are set out in the dependent claims.

In a first aspect, the invention relates to a system for processing audio communications comprising telecommunication signalling. The system comprises a first communications interface, a second communications interface, a storage unit and a session interface. The first communications interface of the system is configured to receive audio communications from a first entity and to partition all audio communications from the first entity into a first telecommunication signalling stream and a first voice stream and the second

communications interface is configured to receive audio communications from a second entity. The first communications interface and the second communications interface are configured to send the first telecommunication signalling stream to the storage unit and to send the first voice stream to the second entity. The storage unit is also configured to store the first telecommunication stream; and the session interface is configured to initiate a session accessible by a user associated with the second entity and to facilitate the generation of a link between the session and the first telecommunication signalling stream stored in the storage unit

Advantageously, the claimed system is always on such that all audio communications from the first entity are partitioned into a first telecommunication signalling stream and a first voice stream and there is no danger of a mode switching error. Because the processing and partitioning of the telecommunication signalling occurs prior to any part of the audio communications entering the networks or systems of the second entity, the sensitive authentication data is kept away from the second entity company and any users or agents acting for the company. A benefit of this is that the data protection requirements for the second entity are greatly reduced in a simple and secure manner.

Separating the first telecommunication signalling stream and the first voice stream, of the audio communications, at this early stage does however present additional problems to be overcome, since the first telecommunication signalling stream must be linked to the activities of the user associated with the second entity in some manner in order for the user and/or second entity / company to act on the sensitive data entered by the first entity / customer. In this vein, the claimed invention also advantageously provides a session that is accessible by the user, who may also be referred to as an agent, and is associated with the first telecommunication signalling stream stored in the storage unit of the system by a link generated for the session interface.

The linking of the stored first telecommunication signalling stream from the call session with a session interface enables the second entity company and any users or agents acting for the company to be able to utilise with the stored data, thus bridging the standard public switched telephone network and digital services worlds. Typically, the session may be a web session hosted by the system, or alternatively the session may be an Application Programming Interface (API) session, such as a server-side web API.

Optionally, the audio communications from the first entity and the audio communications from the second entity correspond to audio communications between the first entity and the user associated with the second entity. Advantageously, the audio communications may represent a conversation between the first entity and the user / agent, wherein the first telecommunication signalling stream is not transmitted to the user / agent.

Optionally, the system associates an identification code with the session. The second communications interface may then be further configured to partition the audio

communications from the second entity into a second telecommunication signalling stream and a second voice stream; and wherein the session interface is further configured to generate a link between the session and the first telecommunication signalling stream stored in the storage unit if it is determined that the second telecommunication signalling stream comprises the identification code.

In this manner, the system advantageously associates the first telecommunication signalling stream with the session when it is determined that the identification code associated with the session is comprised in the second telecommunication signalling stream. The first and second telecommunications signalling streams are linked as they correspond to the two directions of communications on a single audio communications call.

Optionally, the first communications interface and the second communications interface are configured to send the second voice stream to the first entity and to send the second telecommunication signalling stream to the storage unit; and wherein the storage unit is configured to store the second telecommunication signalling stream. In this manner, the telecommunication signalling of the agent is also stored and prevented from being passed to the customer.

Optionally, the session is configured to generate the identification code as a one-time code. This advantageously enables the identification code to be unique to the given web session; moreover, this means that the agent may be able to maintain multiple session connections to the session interface for simultaneously handling a plurality of audio communications in accordance with the present invention. Optionally, the system further comprises the private branch exchange of the second entity; the second communications interface receives an identification, from the private branch exchange, of the user associated with the second entity that has accepted the audio communications; and wherein the session interface is further configured to generate a link between the session and the first telecommunication signalling stream stored in the storage unit.

In this embodiment, the system hosts the private branch exchange (PBX) of the second entity. This enables the system to be aware of the telephone hardware that is connected to the audio communications call comprising the first telecommunication signalling stream. In an embodiment wherein a single user / agent is associated with the telephone hardware, the link between the agent identity, and thus the agent credentials used to log into the session, and the first telecommunication signalling stream stored in the storage unit may be created automatically. In one embodiment, multiple agents may use and be associated with the telephone hardware. In such an embodiment, the system may obtain, from the second entity or a storage unit maintained by the second entity, the identity of the agent that is logged into the telephone hardware at that given moment of time, or a previous time in order to identify the relevant agent and session to be associated with the stored first telecommunication signalling stream. Optionally, the system further comprises a first entity interface, a second entity interface and a second storage unit, wherein the first entity interface is configured to receive a first API request from an application associated with the first entity, the API request comprising an identification of the first entity and an identification of the second entity; the second entity interface is configured to receive a second API request from an application associated with the second entity, the API request comprising an identification of the user associated with the second entity and an identification of the first entity; the second storage unit is configured to store the identifications comprised in the first API request and the second API request; the storage unit is further configured to store the identification of the first entity associated with the first telecommunication stream; and the session interface is further configured to generate the link between the session and the first telecommunication signalling stream stored in the storage unit by matching an identification of the user, associated with the second entity, that is accessing the session to the identification of the first entity stored in the second storage unit and then further matching this to the first telecommunication signalling stream stored in the storage unit and associated with the identification of the of the first entity. In this manner, the system advantageously improves integration possibilities with the systems of the second entity.

Optionally, the second storage unit is further configured to store a timecode associated with at least one of the first API request and the second API request and the session interface is further configured to generate the link between the session and the first telecommunication signalling stream stored in the storage unit based at least in part on the timecode. This advantageously enables the system to improve the accuracy of the linking process, for example where multiple call records may be held for a given customer.

Optionally, the first telecommunication signalling stream and the second telecommunication signalling stream may comprise in-band signalling streams, preferably they may comprise dual-tone multi-frequency (DTMF) signalling. This advantageously enables the system to handle commonly used signalling means for audio communications.

According to a second aspect of the invention, a method for processing audio

communications comprising telecommunication signalling is provided. The method comprises receiving, at a first communications interface, audio communications from a first entity and partitioning all audio communications from the first entity into a first

telecommunication signalling stream and a first voice stream; and receiving, at a second communications interface, audio communications from a second entity. The method further comprises sending the first telecommunication signalling stream to a storage unit and sending the first voice stream to the second entity, wherein the first telecommunication signalling stream is stored at the storage unit. Moreover, the method comprises initiating, at a session interface, a session accessible by a user associated with the second entity and facilitating the generation of a link between the session and the first telecommunication signalling stream stored in the storage unit. Advantageously, the claimed method is always partitioning all audio communications from the first entity into a first telecommunication signalling stream and a first voice stream such that there is no danger of a mode switching error. Because the processing of the telecommunication signalling occurs prior to any part of the audio communications entering the networks / systems of the second entity, the data protection requirements for the second entity are greatly reduced and the overall security of the system and transmission of the data is greatly increased. Separating the first telecommunication signalling stream and the first voice stream at this early stage does however present additional problems to be overcome since the first telecommunication signalling stream must be linked to the user / agent activities in some manner in order for the agent and/or company to act on the sensitive data entered by the customer. In this vein, the claimed invention also

advantageously provides a session that is accessible by the agent and is associated with the first telecommunication signalling stream stored in the storage unit. Optionally, the audio communications from the first entity and the audio communications from the second entity correspond to audio communications between the first entity and the user associated with the second entity. Advantageously, the audio communications may represent a conversation between the first entity and the user / agent, wherein the first telecommunication signalling stream is not transmitted to the agent.

Optionally, an identification code is associated with the session and the method further comprises partitioning, at the second communications interface, the audio communications from the second entity into a second telecommunication signalling stream and a second voice stream; and generating, at the session interface, a link between the session and the first telecommunication signalling stream stored in the storage unit if it is determined that the second telecommunication signalling stream comprises the identification code.

In this manner, the method advantageously associates the first telecommunication signalling stream with the session when it is determined that the identification code associated with the session is comprised in the second telecommunication signalling stream. The first and second telecommunications signalling streams will already be linked since they correspond to the two directions of communications on a single audio communications call. Optionally, the method further comprises sending the second voice stream to the first entity; sending the second telecommunication signalling stream to the storage unit; and storing, at the storage unit, the second telecommunication signalling stream. In this manner, the telecommunication signalling of the agent is also stored and prevented from being passed to the customer. Optionally, the method further comprises generating, at the session, the identification code as a one-time code. This advantageously enables the identification code to be unique to the given session; moreover, this means that the user / agent may be able to maintain multiple session connections to the session interface for simultaneously handling a plurality of audio communications in accordance with the present invention.

Optionally, the method further comprises receiving, at the second communications interface, an identification of the user / agent associated with the second entity that has accepted the audio communications from a private branch exchange of the second entity; and generating, at the session interface, a link between the session and the first telecommunication signalling stream stored in the storage unit.

In this embodiment, the private branch exchange (PBX) of the second entity is also hosted, which enables the system to be aware of the telephone hardware that is connected to the audio communications call comprising the first telecommunication signalling stream. In an embodiment wherein a single user or agent is associated with the telephone hardware, the link between the agent identity, and thus the agent credentials used to log into the session, and the first telecommunication signalling stream stored in the storage unit may be created automatically. In one embodiment, multiple users or agents may use and be associated with the telephone hardware. In such an embodiment, the system may obtain, from the second entity or a storage unit maintained by the second entity, the identity of the agent that is logged into the telephone hardware at that given moment of time, or a previous time in order to identify the relevant agent and session to be associated with the stored first telecommunication signalling stream.

Optionally, the method further comprises receiving, at a first entity interface, a first API request from an application associated with the first entity, the API request comprising an identification of the first entity and an identification of the second entity; receiving, at a second entity interface, a second API request from an application associated with the second entity, the API request comprising an identification of the user associated with the second entity and an identification of the first entity; storing, at a second storage unit, the identifications comprised in the first API request and the second API request; storing, at the storage unit, the identification of the first entity associated with the first telecommunication stream; and generating, at the session interface, the link between the session and the first telecommunication signalling stream stored in the storage unit by matching an identification of the user, associated with the second entity, that is accessing the session to the identification of the first entity stored in the second storage unit and then further matching this to the first telecommunication signalling stream stored in the storage unit and associated with the identification of the of the first entity. In this manner, the method advantageously enables improved integration possibilities with the systems of the second entity.

Optionally, the method further comprises storing, at the second storage unit, a timecode associated with at least one of the first API request and the second API request and wherein the generating, at the session interface, the link between the session and the first telecommunication signalling stream stored in the storage unit is based at least in part on the timecode. This advantageously enables the method to improve the accuracy of the linking process, for example where multiple call records may be held for a given customer. Optionally, the first telecommunication signalling stream and the second telecommunication signalling stream comprise in-band signalling streams, preferably dual-tone multi-frequency (DTMF) signalling. This advantageously enables the system to handle commonly used signalling means for audio communications. BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will now be described, by way of example only, and with reference to the accompanying drawings, in which: Figure 1 is an example of a system according to the first aspect of the disclosure;

Figure 2 is a process flow for an agent to link a call, using a PIN link, to DTMF events entered by a customer and to complete a transaction using these DTMF events; and

Figure 3 is an example of a system according to a further aspect of the disclosure. DETAILED DESCRIPTION

Figure 1 is an example of a system 10 according to the first aspect of the disclosure, wherein the system 10 comprises a first communications interface 12, a second communications interface 14, a storage unit 16 and a session interface 18. The first communications interface 12 is configured to be in data communication with a first entity 20, in particular a customer 22. For example a telephone call of the customer 22 may be connected to the first communications interface via a public switched telephone network (PSTN).

The telephone hardware used by the customer 22 may be enabled for use with

telecommunication signalling, for example in-band communication and in particular dual- tone multi-frequency (DTMF) signalling. In this manner, the telephone call connection between the customer 22 and the first communications interface may be referred to generally as an audio communication wherein the audio communication comprises a first telecommunication signalling stream 24 and a first voice stream 26. Whilst the first telecommunication signalling stream 24 and the first voice stream 26 are depicted in Figure 1 with separate lines, these data streams will typically be transmitted together over the same communication channel and in the same band.

Once the audio communication channels 24, 26 from the first entity / customer have been received at the first communications interface 12, the first communications interface splits or partitions the audio communication into the respective first telecommunication signalling 24 and the first voice 26 streams. The first communications interface 12 then sends the first voice stream 26 to the second communications interface 14 over a communication link 28 and the first telecommunication signalling stream 24 to the storage unit 16 over a communication link 30. In this manner, the first telecommunication signalling stream 24 may be stored in the storage unit 16 for later use. Because the first telecommunication signalling stream 24 may comprise sensitive identification or authentication data, the system may cause the data stored in the storage unit 16 to be deleted or overwritten once the data has fulfilled its identification or authentication purposes. In particular, the storage unit 16 may be a cache for temporarily storing the data. The second communications interface 14 is configured to be in data communication with a second entity 32, in particular a user / agent 34 associated with the second entity, for example an employee of the second entity that works as a call handling agent. The telephone hardware used by the agent 34 may also be enabled for use with

telecommunication signalling, in particular DTMF signalling. In this manner, the audio communication between the agent 34 and the second communications interface 14 may comprise a second telecommunication signalling stream 36 and a second voice stream 38. Again, whilst the second telecommunication signalling stream 36 and the second voice stream 38 are depicted in Figure 1 with separate lines, these data streams will typically be transmitted together over the same communication channel and in the same band.

At this point, it is worth noting that the first entity is not necessarily always the initiator of the audio communications, i.e. the telephone call between the first entity (customer) and the second entity (company / their agent). In particular, the second entity may initiate an outbound telephone call from the agent of the company to a first entity customer.

Accordingly, references to "first" and "second" should be understood merely to differentiate between different entities and not to imply any temporal order of any steps associated with the entities or other referenced items. Once the audio communication channels 36, 38 from the agent 34 have been received at the second communications interface 14, the second communications interface splits or partitions the audio communication into the respective second telecommunication signalling stream 36 and the second voice 38 streams. The second communications interface 14 then sends the second voice stream 36 to the first communications interface 12 over the communication link 28 and sends the second telecommunication signalling stream 36 to the storage unit 16 over a communication link 40. In this manner, the second

telecommunication signalling stream 36 may be stored in the storage unit 16 for later use.

It has been described that the first communications interface 12 partitions the audio communications from the first entity into a first telecommunication signalling stream and a first voice stream and that the second communications interface 14 partitions the audio communications from the second entity into a second telecommunication signalling stream and a second voice stream; however in an optional embodiment both steps of partitioning may be carried out in the first communications interface 12 or alternatively the second communications interface 14. Alternatively, the first communications interface 12 and the second communications interface 14 may be integrated into a single communications interface that performs the functions described for both communications interface, as will be appreciated by the skilled person.

The agent 34 may also interact with the front end of a session interface 18, in particular a web API interface that is configured to host an API session accessible by the agent 34 over the internet using a set of credentials assigned to the agent 34 and a web connection 42. The web API interface 18 may obtain data from the agent 34 via the web connection 42 and may obtain data from the storage unit 16 via the data connection 44. The web API interface 18 may enable the processing of the data input by the customer 22 using DTMF signalling, as will be described in more detail below.

An exemplary embodiment of the processing of a call from a customer 22 to an agent 34 using the system 10 will now be described in further detail. First, the call, or audio communications, must be established between the first and second entities, e.g. the customer 22 and the agent 34. The direction of the call may be inferred by the source of the initial call data to the system 10. If the call is inbound, i.e. from the customer (first entity) to the agent (second entity), then the call will be routed over a PSTN to one or more Session Boarder Controllers (SBCs) that may control the signalling between the PSTN and the network of the system 10 and the Session Initiation Protocol (SIP) will originate from the SBC.

Alternatively, if the call is outbound, i.e. from the agent (second entity) to the customer (first entity), and the company phone network is hosted by the system 10 or a system linked to the system 10, then the call may originate from a gateway within the system 10 itself. If the company phone network is not hosted locally by the system 10, then it is preferably assumed that the call is an inbound call. Knowing the direction of the call may aid in the classification and handling of the DTMF signalling data that is recorded from the first and second entities. Inbound calls are preferably load balanced, over a plurality of gateways, by the one or more SBCs. The gateway then places the call in a holding pattern for the initial processing of the call to be performed. A periodic tone is preferably played to the initiating caller to indicate that the call is being processed, authenticated and routed; this typically takes around one second to complete. An event is then generated and sent to the main processing unit, which may be referred to herein as the TACS. This TACS processor is not shown in Figure 1 , but controls the processing and flow of data within the system, in particular the processing and flow of data between the first communications interface 12, the second communications interface 14 and the storage unit 16. The generated event preferably comprises an identification of the number called (e.g. the direct inbound dial number), a unique ID for use by the system, an internal channel ID, an identification of the caller (e.g. the caller ID number) and the direction of the call. DTMF signalling data received at the first communications interface 12 and the second

communications interface 14 may then be partitioned out from the respective audio communications and sent to the storage unit 16, via the TACS processor, for storage as DTMF events.

In one embodiment, the system 10 may only process calls for companies 32 that are registered with the system 10. Accordingly, the direct inbound dial number may be crosschecked in a database of users of the system 10 at the point that the first event is received. If the number is not recognised, then the system 10 may cause the call to be terminated. Otherwise, a call object is preferably created and the corresponding data stored in the storage unit 16 (or a further storage unit). The call is then taken out of the holding pattern. Next, the call is routed to the destination company 32 in the normal manner, however all DTMF events will have been suppressed and prevented from being routed to the company 32. This prevents the sensitive DTMF data from reaching the destination company 32 as a whole as well as preventing the sensitive DTMF data from reaching the specific agent 34 associated with the company 32 that has picked up the call for handling. Moreover, the sensitive DTMF data will also be blocked from any intermediary networks of carriers between the system 10 and the company 32. In this manner, the system 10 also acts to prevent any unauthorised wiretaps between the carrier and the Private Branch Exchange (PBX) or the agent 34. This is especially beneficial in the context of the provision of Voice over Internet Protocol (VoIP) technology services, since the voice channel is often transmitted across a public network, such as the internet, without any encryption. The system described prevents the DTMF data from being accessible in such a public network whilst avoiding the need for encryption services, which in turn would require significant additional costs and high overheads. At this stage, DTMF events will be captured by the system 10 and buffered for the call in the storage unit 16, which may be in the form of a cache storage. DTMF signalling may be detected by monitoring for the start and stop packet pair in the Real-time Transport Protocol (RTP), for example using the mechanism of the RFC2833 standard. If this is not successful, then simple in-band tone detection may be used to ensure that any missed DTMF tones are filtered out. As mentioned above, DTMF signalling is then raised as an event and passed to the TACS processor.

Optionally, comfort tones or a warble sound may be inserted into the first or second voice stream, which is passed to the agent 34 or the customer 22 respectively, so that the individuals may be reassured that the press of a given key has been successful and has not resulted in an error, such as a double press of the key when only one press was intended. Where the mechanism of the RFC2833 standard was used, the start and stop packets are not maintained or replaced into the RTP stream. Importantly, the comfort tone does not bear any resemblance or connection to the alphanumeric character identified by a DTMF signalling event that the comfort tone is being used to replace.

Once an agent 34 has answered the call, the agent may speak to the customer 22 and follow the company's call handling processes. For example, the agent may generate an order or quote, or begin some other transaction. Once the process being carried out by the agent 34 is ready for the customer's sensitive data to be input using DTMF signalling, the agent 34 may log in to the session interface 18 and create a web socket connection to the session interface 18. The session interface 18 preferably maintains an Application Programming Interface (API) connection to the storage unit 16 in order to enable real-time updates during the (web) session without the need to poll the RESTful web services. In order for the web session created on the session interface 18 by the agent 34 to obtain the DTMF event data, it is necessary for the web session and the DTMF events, or the audio communications call that the DTMF events originated from, to be linked in some manner. In one embodiment, this linking of the web session and the DTMF events may be carried out substantially automatically. This may be facilitated where the telephone network of the company 32 is hosted by the system 10 and where auto link has been enabled by the company 32. In such a scenario, a unique Auto Link ID may be generated for the audio communications call. Preferably, this Auto Link ID is generated during the processing of the call, whilst the call is in the holding pattern discussed above. Optionally, this Auto Link ID may be passed through to the end user by packaging the Auto Link ID in a SIP header. Once the call has been answered by the agent 34, the auto link module may be able to identify the extension number of the agent 34 that answered the call and may then send an API request to the session interface 18 comprising the extension number of the agent, the caller ID and the Auto Link ID. The API request is mapped to the customer 22 by looking up the extension number of the agent in the records shared by the company 32. The Auto Link ID can then be inserted into the storage unit 16 with the agent 34 and company 32.

The auto link module then sends a request via the web socket to check whether an Auto Link ID has been logged for the identified agent 34. The storage unit 16 is queried and a new Unique Link ID is generated and stored in the storage unit 16 if a single entry is found in the storage unit 16, wherein the Unique Link ID is a globally unique code that will be used to identify the session from this point onwards. A link command is then sent, with the Auto Link ID, to the TACS processor to request the auto link. If no entries are found, or alternatively if multiple entries are found, then the process is considered to have failed and the auto link module aborts the process.

On the TACS processor, the Auto Link ID is checked against the list of calls that are in progress. If no match is found, or a match is found but it has already been linked to another agent 34 or belongs to another company 32, then a failed response is returned.

If a valid match is found then the call is linked and a success response is returned along with the session and call data in response to the API call. The call is then linked by receiving and relaying the response back to the session interface 18 via the web socket and registering the Unique Link ID to the Web Socket Session, so that any further updates for the Unique Link ID can be matched and passed to the correct web socket. A message is then displayed to the agent 34 at the session interface front end indicating that the call was automatically linked. In a further embodiment, the call may be linked using an alternative method, which may be referred to as the PIN link method and will be described with reference to Figure 2. Figure 2 provides a process flow for an agent 34 to link a call to DTMF events entered by the customer 22 and to complete a transaction using these DTMF events. As described with reference to the Auto Link method, the agent 34 logs into a web interface as shown in step 201. At steps 202 and 203, the agent 34 waits to receive a call from a customer 22 and then answers the call. At step 204, the agent begins the PIN link process by requesting for the web interface to generate a PIN link code. The session interface 18 then generates this random, single use PIN link code, stores the PIN link code in the storage unit 16 and displays it to the agent 34 at the web interface. The PIN link code may be between 4 and 8 digits in one embodiment. The system 10 also generates a globally unique 'Unique Link ID' to be used to refer to the present session here on after.

A Link Command is then sent to the TACS processor and the PIN link code is added to an active PIN list. This list is checked every time a DTMF event is generated by an entry of the agent 34 in order to look for new matches. On the web interface, the PIN link code is displayed and the agent 34 is prompted to dial the PIN link code in on their handset. As the PIN link code is entered at step 205, corresponding DTMF events are transmitted over the telephone network and captured at the system 10. When new DTMF is detected, it is either placed into a new bucket or added to an existing bucket of the plurality of buckets corresponding to each active call. The updated aggregate data of the bucket is then checked against the list of active PINs for a match. The data may be aggregated, or built up, by the system 10 one character at a time in a temporary storage, such as a RAM or other temporary cache memory.

In this manner, the system 10 provides the agent 34 with a unique PIN to be entered into the agent handset using DTMF signalling. This unique PIN is then detected as a corresponding DTMF event, which is grouped with the other DTMF events that have been received for that call. This means that the web session can be linked, by the unique PIN, to the group of DTMF events that have been received and added to the bucket corresponding to the given active call. Once the system 10 has found a match and the link data has been recorded, the PIN link code can be removed from the active PIN list.

In an alternative embodiment, the PIN link may be a static PIN rather than a one-time use PIN, for example the PIN may be a number that has been assigned to the agent 34 and is used for the linking of recorded DTMF events to any web session that has been activated using credentials corresponding to the relevant agent 34. However, the use of a one-time use PIN means that the session can be extended and agents will be able to handle more than one call at any one moment in time, for example by putting one or more customers 22 on hold whilst they are entering their data or undertaking other activities. Once the link process has been completed, the web interface will indicate that the web session has successfully been linked to the call as shown at step 206 and the initial session objects and updated session objects will then be stored in the storage unit 16 to keep the web interface up-to-date as any new information is entered. With the PIN link completed, the process flow may then continue as set out below. The following process also continues at the point where the auto link has been established.

The system 10 preferably shares the Unique Link ID over multiple gateways in the network infrastructure such that any network device that may receive part of a call in progress can identify and sustain the linked call and web session between the customer 22 and the agent 34 in the event of a device failure.

In particular, at step 207 the agent 34 may begin filling in data relating to the transaction. In the example of Figure 2, this transaction is a payment transaction, however the invention may be applicable to all data capture of alphanumeric characters. For example, this may include account numbers, payment card data, passport number, driver's license number, National Insurance number or social security number.

The agent 34 may explain the process to the customer at step 208 and then start a transaction at step 209 by clicking "capture" on a field that requires data entry from the customer 22, in this illustration the card number. Other transaction details, such as the amount due, postcode, name on the card etc. may have already been entered by the agent 34. Optionally, some or all of this additional data may be input direct from the companies Client Relationship Management systems.

Step 209 triggers an AJAX request to the session interface 18 that sends a REST request with the name of the field to capture into and sends a command to the TACS session interface with the Unique Link Id and the field to capture data into. Captured DTMF event data from the same time period is then moved from the relevant bucket to the field named in the request. Further DTMF captured on the call may also be concatenated to this field.

These updates are passed back to the session interface 18 as they are received and the agent 34 will be able to see an '*' on their web interface and hear a disguised tone or warble (as a mask instead of the real DTMF data) as the customer enters the digits via a DTMF touch tone as shown in steps 210 to 212. If no asterisks or progress is evident, the agent may discuss this with the customer 22 at step 213. Once the data field has been completed, the system may perform a check to identify if the field has been entered correctly, for example by applying a mask to the data input. The process can then be repeated for other fields of sensitive data, for example the CV2 number as shown in step 215.

Once all of the data has been input, at least for the current data field, the confirmation button may be pressed as shown in step 216 and the system 10 may wait for the transaction to complete. Depending on the nature of the transaction, the data may be sent from the system 10 to an external services provider, for example a Payment Services Provider (PSP). The agent 34 does not directly or indirectly input or receive any card details corresponding to the customer 22, but the agent can see the progression of the keyed inputs processed by the customer 22 as incremental hashed or masked digits on their computer screen. If the transaction is determined to be successful at step 218, then the call may be ended at step 219. All of the sensitive DTMF data may also be deleted from the storage unit 16, which may be a cache storage memory, at this stage.

Alternatively, the transaction may be reset, as shown in steps 220 and 221 , if the transaction is determined to not have been successful in step 218.

In a further embodiment, the call may be linked using a further alternative method, which may be referred to as the application link method and will be described with reference to Figure 3. Figure 3 illustrates a further example system according to the first aspect of the disclosure, wherein the system comprises a first communications interface 12, a second communications interface 14, a storage unit 16 and a session interface 18 performing the functions described with reference to Figure 1. In Figure 3, a processing unit 200 has also been displayed; this processing unit 200 is configured to process the flow of information between the first communications interface 12, the second communications interface 14, the storage unit 16 and the session interface 18 and may optionally be considered to be implicit in the system 10 of Figure 1. Figure 3 further illustrates that an application 302 is installed within the systems of the first entity 20 for interaction with the customer 22 and that an application 304 is installed within the systems of the second entity 32 for interaction with the agent 34. For example, the application 302 may be installed on a smartphone of the customer 22 and the application 304 may be installed in the systems of the agent 34 / second entity 32 using a computer telephony integration client. Moreover, the system of Figure 3 further includes a call link system 300 comprising a second storage unit 306, a customer interface 308 and an agent interface 310.

The customer interface 308 is configured to be in data communication with the first entity 20, in particular the application 302 of the first entity 20, and the agent interface 310 is configured to be in data communication with the second entity 32, in particular the application 304 of the second entity 32. This data communication may use any known wired or wireless communication, such as a Local Area Network, a Wide Area Network, a cellular network or the internet. Further suitable data communication methods will also be known to the skilled person. Moreover, the customer interface 308 and the agent interface 310 are configured to be in communication with the second storage unit 306 of the call link system 300 and to read and write data from and to the second storage unit 306.

In this system, the customer 22 and the agent 34, or corresponding business / second entity 32, register an account on the call link system 300 identifying any telephone numbers associated with the customer or agent / business respectively that are to be used with the call link system 300. These identifications of telephone numbers are preferably stored in the second storage unit 306. Optionally, this identification of the relevant telephone number may be stored in the form of a hash rather than in the plaintext form of the telephone number. This step provides additional security since the plaintext telephone number is not stored in the call link system 300.

Preferably, when registering telephone numbers with the call link system 300, one or more known validation methods are used to ensure that the telephone number identified is in the control of the person registering with the call link system 300. For example, using a call back to the same number where a password, PI N or similar is input during the call back telephone call.

When a telephone call is initiated, received or otherwise established at a call handset of either the customer 22 or the agent 34, the respective installed application 302, 304 sends an API request 314, 316 containing an identification of the number that has been dialled (or is identified in the caller identification for an incoming call) to the call link system 300 via the customer interface 308 or the agent interface 310. Again, optionally it is a hash of the number that is contained in the API request 314, 316. The API request 314, 316 also contains an identification of the customer or agent that the API request originates from. This may be in the form of an account registration number, a unique identification of the associated telephone number, the plaintext associated telephone number, a hash of the associated telephone number or other identification methods that will be apparent to the skilled person from the present disclosure. The respective information contents of the API requests 314, 316 are then preferably stored as records in the second storage unit 306 of the call link system 300.

These records preferably include a timecode linked to each API request 314, 316. For example, this time code may be added by the customer interface 308 or agent interface 310 to indicate the time that the respective API request is received, or alternatively the timecode may be included in the API request to indicate either the time that the API request was generated or the time that the telephone call was initiated or received. Accordingly, if a telephone call is successfully established between a customer 22 and an agent 34 who are both registered with the call link system 300 and logged into the respective applications 302, 304, then there should be a pair of corresponding records stored in the second storage unit 306 of the call link system 300 with timecodes that are substantially the same, i.e. within a given time period of each other. This pair of corresponding records allows the call link system 300 to validate the integrity of the respective API requests.

The identifications may optionally be marked in the second storage unit 306 as being associated with an active call. The telephone call then progresses as normal, with the agent 34 and the customer 22 discussing the need for sensitive information, such as payment information or personally identifying information, to be input, for example by using DTMF tones.

The agent 34 will also be in the process of automatically and/or manually populating the relevant fields for the transaction between the customer 22 and the agent 34 or business 32 in the session interface 18. For example, in a payment transaction this may include the payment amount as well as other information, such as an address that a payment card may be registered to. The session interface 18 will also be aware which agent 34 is logged into the session hosted by the session interface 18. During, or at the end of, the process of entering the transaction details by the agent 34, the agent may trigger a link via the session interface 18. The communication 43 triggering the link process preferably includes a timecode indicating either the time the telephone call was established or the time the agent API request 316 was sent.

In response to this, the session interface 18 may cause the processing unit 200 to query the second storage unit 306 for records that comprise the identification of the agent 34 and have a corresponding timecode within a given accuracy. Where the identifications are marked in the second storage unit 306 as being associated with an active call, the query of the second storage unit 306 may be limited only to records comprising an association indicating an active call.

If a match is found from the records in the second storage unit 306, then the processing unit 200 will have identified a link between the specific agent 34 that is logged into the session of the session interface and the indication of the customer telephone number. The processing unit 200 may then proceed to query the storage unit 16 to identify a record of a corresponding telephone call that matches the identification of the customer telephone number. In this regard, it is noted that the first communications interface 12 will be able to identify the telephone number of the customer 22 from either the customers caller ID (for a telephone call initiated by the customer 22) or the dialling number processed through the system 10 (for a telephone call initiated by the agent 34 of the business / second entity 32).

If a corresponding match is also found in the storage unit 16 then the processing unit 200 records a link between the data stored for the call and the session of the session interface. The customer 22 may then be prompted to enter the sensitive information, for example using their keypad to generate DTMF tones that can be processed in the manner described in more detail above with respect to Figures 1 and 2. Alternatively, the DTMF tone data may already have been stored in the storage unit 16 from input that the customer 22 may have already entered by this stage, again the processing of this DTMF data may then proceed in the manner described in more detail above with respect to Figures 1 and 2. When the telephone call ends, a similar API request is made with the same information. If the call link system determines that this information has already been marked as being associated with an active call then the corresponding data in the active call list may be deleted or alternatively moved to an ended calls list. If the call link system 300 is not successful in establishing a link, then the system 10 may retry using an alternative linking method, such as the PIN link method described above. Whether the call is inbound or outbound, the system operates by detecting the incoming customer originated DTMF tones and diverting these data events for processing directly to a processing application and gateway. This means that no customer DTMF tones are passed to the company 32 or agent 34 and nor do these data packets ever touch the companies IT infrastructure or environment. The customer will hear their own handset DTMF tones and the agent will hear DTMF tones from their handset when they key in the session link-code, or initiate an outbound call. Moreover, DTMF tones and events are not recorded on call recordings or audio recorded backups carried out by the company 32.

As set out above, the invention of the following claims enables companies 32 to take sensitive authentication or identification details from customers 22 over the telephone using the touch-tones keyed by the customer on their telephone handsets without the need for any mode switching or additional hardware components at the companies end. This is both a way of securing and limiting the applicability of the General Data Protection

Regulation and Data Protection Act with respect to the data handling by the company 32 and as a way of reducing the scope of any other industry standard data handling compliance responsibilities. This eliminates the need for encoding or decoding devices or software to be installed at the agent's desk or workstation or in the back office IT infrastructure of the company 32. In one example, this authentication data may relate to card payment or bank account details and the compliance requirements of PCI-DSS;

however, other examples of uses include authentication / identification data such as one or more characters from a password or phrase, or other identifying number and corresponding industry standard data handling requirements.