Compliance Introduction

Regulatory compliance has become the new normal. An increase in regulations aimed at protecting consumers in their dealings with contact centers will certainly affect them if they aren’t prepared.

While there are a couple of reasons that this is expected, the focus has been on the news that millions of consumers have had their credit card information stolen as a result of recent security breaches. Companies must tighten up their Payment Card Industry (PCI) compliance. It is a myth that PCI originates with the government, like HIPAA. The credit card brands created PCI and also enforce it. It is designed to safeguard the handling of information and protect customers from identify theft. The five major credit card companies developed the Payment Card Industry Data Security Standard (PCI DSS) in 2006. For contact centers, this means certain portions of sensitive cardholder information cannot be stored, even in the most secured fashion.
It is a highly recommended for merchants who wish to process, transmit, and store payment card data to comply with PCI security practices; but PCI is not the law.
The credit card companies created PCI and its rules to help prevent payment card fraud since the credit card brands are ultimately responsible. The PCI Security Standards Council, an independent entity, was established to manage the rules. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. This includes contact centers that accept credit cards for payment.

PCI Certification

The credit card brands oversee the enforcement of PCI compliance. They decide how to verify a contact centers compliance and how to penalize for non-compliance.

There are two main ways that contact centers are asked to demonstrate their compliance with PCI: Contact centers either indicate compliance by working through a self-audit checklist, or they may be required to undergo a full audit by a certified third-party security expert known as a Qualified Security Assessor. The card bank determines which methodology/certification of compliance it will accept.
From the contact center’s perspective, both reporting styles have their advantages and disadvantages. Self-audit may seem less daunting, but it also leaves room for error, including simple misinterpretation of the rules and requirements. Self-audits lack the creditability of third party audits. Who doesn’t give themselves a great evaluation!
Third party audits may take more time, money and energy, but they also give a contact center (and their bank) more certainty that the site is in compliance. Contact centers should consider what each style of reporting would require of their business and discuss the topic with their acquiring bank.

Long-Term Compliance

Complacency is the enemy when it comes to long-term compliance.

Too many organizations put a compliance process and procedures into place, install hardware and software and forget about it until there is a breach. Then everyone looks around to determine how a breach could possibly happen. To avoid being a headline in the news it is strongly recommended to regularly monitor and test networks. Track and monitor all access to network resources and cardholder data. Test the security systems and processes. Put the testing on a strict schedule and make time to do it. Many times the IT team is busy putting out fires and when it is time for testing the security of the infrastructure someone ultimately says “later” and later never comes until it is too late. Make time and get it done.
The network is only as strong as its weakest link. Most companies won’t consider working with a vendor that isn’t 100% PCI compliant and this includes contact centers. Contact centers are in every industry and data protection is every company’s responsibility.

Violations and Fines

It is up to the credit card banks to manage the compliance process.

When a non-compliant contact center is penalized by their bank/credit card brand, and experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to fines. Those fines may be hefty, too. Depending on the circumstances, contact centers might have to pay anywhere from $5,000 to $100,000 every month until they address all compliance issues. If they don’t resolve the problem satisfactorily, they could even have their ability to accept cards revoked. These fines are how the brands that are ultimately responsible pass along the losses incurred by the bank.


1. Be proactive and take action to protect customers and your company. Don’t wait for an incident.

2. Think ahead. Ask yourself, “What is one more step that we can take towards a higher level of security”?


PCI compliance is every organization’s responsibility. Protecting cardholder data has never been more critical. The Payment Card Industry Data Security Standard created standards around cardholder information processing, transmitting and storage. Users of cardholder data are required to comply with PCI security practices, while this is not a law it is good business practice. Organizations spend millions to gain customers and a simple security breach can cost organizations those customers in a nanosecond.
Credit card brands manage the compliance process by requiring self-audit or third party audit certification to avoid expensive violations and fines to cover any losses incurred by the acquiring banks. To avoid fines, contact centers have call recording, network security and role-based security as tools to protect cardholder data. An enterprise level hosted contact center platform will provide the encryption capability that PBXs are unable to due to its limitations. Get and maintain PCI certification for the good of the customer, industry and contact center.

How PCI Impacts the Contact Center

Industry Content Supporter:
Steven Cramer
Sr. Vice President Operations

While most of the PCI requirements are hardware and software related and behind the scenes, the call center professional comes in to play with “Protecting Cardholder Data”.

The greatest impact on the contact center is PCI Compliance. How can contact centers remain PCI compliant and instill customer confidence that data is being protected? Here are 5 key ways:

1. Call Recording: According to the PCI Security Standards Council recorded calls are subject to the same rules as any other method of capturing and storing customer card authentication data. Enterprise level contact center platforms provide recording systems where agents control the recording with a button; allowing them to pause the recording when credit card numbers are spoken.

There are three technologies used in the contact center:
– Automated “pause and resume”
– Automated “mute and unmute”
– Keypad payment by phone
If you don’t want agents handling the recording, enterprise level contact center platforms that integrate with the CRM system can automatically pause the recording based on actions taken by the agent.
Encrypting the audio files is a higher level of security and some enterprise level contact center platforms have this capability. The audio files are encrypted and password protected, allowing only authorized users to retrieve and review audio files. Encryption is the highest level of security; today you can’t have enough security.
2. Network Security: PCI guidelines include the entire network. Ensuring the network has an effective firewall and router as well as a documented internal process that provides layers and layers of protections. It is recommended to restrict all traffic from unsafe networks and there should never be any direct access between any network component containing cardholder data and the internet. Encrypt cardholder data that transmits across any open public networks.

3. Role-Based Security: In any contact center environment, agent and supervisor desktops should have role-based logins to limit the number of staff exposed to sensitive data and ensure individual staff members only have access to what they need to do their job. For example, a sales representative might be able to view customer details, but they may not be able to update or delete them. A team supervisor may be able to view the performance of the team that they are assigned to, but they (supervisor) should not be able to view the performance of other teams within the same contact center or project.

4. Additional Security Considerations: In addition to role-based security, contact centers should also consider the points at which any staff comes in contact with data to ensure proper security and compliance. It is recommended that access to sensitive customer and payment data should be restricted (e.g., limiting access to key areas of the building).
Change passwords frequently. You should make sure that all of your access passwords are strong (e.g. a mix of numbers, and lower- and upper-case characters) and are changed regularly.
Swap paper for white boards. A simple and cost-effective way to become PCI compliant is to remove all pens and paper from your contact center. Replace them with mini whiteboards, which cannot be removed from the desk and are cleaned on a regular basis.
Ban the use of mobile phones in your contact center. If you ban your agents who handle card payments from using their mobile phones, you will reduce the chance of sensitive information being leaked from your contact center via text, phone call or picture message.
5. PCI Compliance Information: Any organization that stores, processes, and transmits cardholder data must meet PCI compliance regulations. There are many websites that outline the policies and procedures, forms, checklists, templates, and other supporting material. Make sure you know the rules.
Today with every transaction being completed on a smartphone or tablet large-scale security breaches are all too common. If your contact center agents take payment over the phone, adhering to PCI DSS security requirements is critical to protecting against fraud and instilling customer confidence in your business. PCI is just good business.



Company 1

Company 2

Company 3



NACSMA brings together like-minded professionals focused on advancing the customer contact industry and creating career growth.


Management of a best-in-class contact center sites require the continuous review of Agent Sourcing Models, Organizational Training and Management Development Programs.


NACSMA is a professional, non-profit association whose members represent customer contact organizations and the vendors who support them. 


When a contact center organization expands to an additional site or requires new space, the steps to properly implement are unique to each organization but do have standard phases.