6 Strategies for Achieving PCI Compliance in the Contact Center

In our last post, we discussed some of the challenges of maintaining regulatory compliance in the age of remote work. We used the Payment Card Industry Data Security Standard (PCI DSS) as an example. As organizations work to ensure compliance with the latest version, PCI DSS 4.0, they must extend those efforts to offsite staff. PCI DSS applies to remote workers who access, store, process or transmit cardholder data.

6 Endpoint Vulnerabilities That Could Put Your Organization at Risk

It also applies to the contact center if agents take payment card information over the phone. Complying with PCI DSS mandates is critical to preventing fraud and data exposure. It also provides the foundation for compliance with other regulations such as HIPAA, PIPEDA and state privacy laws.

As we noted in our last post, the people, processes and technologies that could impact the security of cardholder data must comply with PCI DSS. The contact center is fraught with risks for noncompliance given the diverse systems and communication channels involved. Remote work has made compliance more difficult, with agents spread across multiple locations. Organizations need a layered strategy to ensure that cardholder data is protected.


Develop a Plan

As an initial step, organizations should determine which regulations they must comply with and whether any rules have changed since the last audit. They should then assemble a compliance team with expertise in these regulations and the contact center environment. The team should develop processes for assessing systems, policies and procedures against compliance requirements, then develop a plan for closing any gaps.

PCI DSS version 4.0 introduces new requirements, including stronger authentication, anti-phishing measures, and enhanced security for data in transit, posing challenges for remote work compliance.


Secure the Technology

Organizations should ensure that their networks are secure. Firewalls should restrict access between systems that store or process cardholder data and the Internet. Data should be encrypted at rest and in transit to prevent exposure. Role-based access controls should ensure that only authorized users can view sensitive information. Access should be restricted to only those who need it to do their jobs.


Redact Recorded Calls

Recorded calls are subject to PCI DSS requirements, just like any other means of capturing and storing cardholder data. Some call recording systems enable agents to pause the recording when the customer provides credit or debit card information. Others use speech analytics to pause the recording automatically while storing the information in the CRM. Automated systems that prevent the recording of cardholder data are not within the PCI Scope.


Train Agents in PCI Requirements

Agents who handle payment card information should be trained in PCI-compliant procedures. Training should cover how to verify the customer’s identity, what information to collect, and how to use technology appropriately. It should stress that agents should never write down any payment card data. The emphasis should be on protecting the customer first, with protecting the organization as a secondary objective.


Implement Physical Security Controls

In a physical contact center environment, organizations should restrict access to areas of the building where payment card data is maintained. Security cameras and other controls may also be appropriate. Agents should not be allowed to bring their personal mobile devices into these restricted areas. Agents who work from home should ensure that family members and guests cannot access sensitive systems and data.


Partner with a Qualified Technology Provider

The right technology provider can be an invaluable partner in contact center compliance. Global Data Systems offers a cloud-based contact center solution that delivers enterprise-class capabilities and the highest levels of security. The solution is backed by our monitoring, management and support services to ensure performance and reliability. We also provide a range of security services to protect your entire IT environment. Let us help you meet regulatory requirements and secure your operations against the latest threats.




Benefits of Managed IT Services from Global Data Systems

  • Strategic Managed IT: We help you solve your technology related business problems.
  • Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
  • Support: When you need help simply call our 24x7x365 support number.
  • Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.

Contact Managed Services Provider, Global Data Systems >