PCI Certifications

It seems almost daily we hear about a data breach, and how credit card fraud is at an all-time high.

The PCI Data Security Standard (PCI DSS) is designed to protect cardholder information and secure the cardholder data environment. All businesses that process, store and transmit payment card data are required to implement the PCI DSS standard to prevent theft. This is required to be in compliance.
The contact center site certification process includes a Gap Assessment designed to review and analyze current policies, procedures and initiatives relevant to the contact centers debit/credit/payment transaction environment. All third-party providers are included in this assessment.
Next is the Gap Report and Remediation Plan that highlights where the potential security issues lie and a plan to repair and eliminate these security weaknesses. The remediation team seals up any potential security issues before the Audit and Reporting step. The audit step reviews, tests and reports the payment transaction environment before certifying.
To insure contact centers are in compliance, utilizing a contact center platform that has also been third party audited for PCI demonstrates the commitment to security. Many contact center phone systems are “self-audited”. That is like saying I lost 10 pounds. If I don’t have a third-party weighing me every week who is to say I did in fact lose 10 pounds? Point being, self-audits always turn out well because who is going to give themselves any “dings” for non-compliance? When choosing a vendor ask to see their PCI DSS certificate.

Industry Specific Certifications and Licenses

Industry specific certifications and licenses are a big deal for agents.

For example, insurance agents need an insurance license to talk to customers and loan offices need a state issued license as well to talk with customers.
While the agents are usually covered, what about the contact center itself? The contact center, depending on the business that you are doing, may require a certification. If your contact center handles protected health information (PHI) then your site is required to be HIPAA compliant. “Covered entities” includes health plans, healthcare clearinghouses and healthcare providers.
If your site takes credit cards, regardless of industry, the required certification is the PCI Data Security Standard (PCI DSS). The credit card industry implemented PCI DSS due to the constant threat of security breaches. Also, if your site is doing any business with a federal agency FedRAMP certification is required. This is a long complex process that insures security. You may find that your contact center requires more than one certification.

HIPAA Certification

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance for contact centers focuses on protecting the privacy and security of Protected Health Information (PHI) that the contact center has access to.
PHI is any information that pertains to an individual’s health condition. Although the law does not require a business to be certified, many choose to obtain the HIPAA certification through professional training organizations.
Contact centers have two sets of HIPAA regulations to comply with. First, HIPAA Privacy – this is at the agent level. This regulation is about how safe health related information is for the people who work with it. The second is HIPAA Security, which is at the site level and regulates health information to be safe from disasters, hackers and electronic theft. Rule 2 includes electronic data found on computers, networks, email, software and electronic transmissions.
All organizations must comply with HIPAA Privacy regulations and only those that store or transmit PHI are required to also comply with HIPAA Security, which is designed to protect electronic data. For example, contact centers that are servicing insurance companies are storing and transmitting patient data.

Who needs to comply?
– Healthcare Providers
– Employee Group Health Plans
– Health Insurance Companies
– Healthcare Clearing Houses
– Business Associate’s who work with any of the previous four above

Typical certifications may include one or more levels; HIPAA Awareness, Security, Privacy, and Administrator and Transaction certificates are available depending on the contact centers needs. HIPAA Awareness indicates basic knowledge of HIPAA while Privacy and Administrator dig deeper into the handling and storage of electronic data. Transaction and Security certifications are for staff that works with medical coding and encryption of HIPPA-protected information. Once the required training is complete, the employee takes the certification exam and receives a certificate.
Contact centers that work with PHI need a contact center platform that will protect the electronic data. Features like password protection and encryption on recorded audio files will keep your center in compliance.


1. Maintain certifications. Certification is ongoing, not a one-time event.

2. FedRamp certification can take months. Begin this process long before you open your new site.


Certifications and licenses insure the holder has a certain level of knowledge and experience in a particular topic. The certificate holder is willing to demonstrate a minimal level of competency through the certification process. To play today HIPAA, PCI and FedRAMP certifications for contact centers are not an option. Security must be a top priority and while implementing a certification doesn’t guarantee, it does lower the risk.
Agents too are required to have the necessary state licensing for health insurance and mortgage applications and processing. Anyone that talks to customers must have a license. Certifications can provide a career path for agents where a traditional career path is limited in a contact center. It takes a commitment to the extra education, an exam process and certain levels of experiences. Many contact centers are providing the pre-licensing education and continuing education (CE) to maintain compliance.

Agent Certifications and Licenses

The Affordable Care Act (ACA) changed how healthcare coverage is purchased in the USA. Today, you go to a website and choose your plans, pay your money and then call and talk to a contact center health insurance agent about your plan, benefits, or any other questions you may have. With ACA, contacts centers popped up overnight with agents ready and waiting to take calls. Open enrollments are a short six weeks and contact centers all want to get in on the act. Even companies that have nothing to do with insurance or healthcare got into the business. The only requirement is agents obtain and maintain a state issued health insurance license to talk with customers. A state issued licensed is mandatory before salespeople can talk to potential policyholders. This is not optional.
It’s easy to get a license. Agents need to take the state mandated exam and pass. Contact centers started teaching the prep classes, packing in potential agents with the hope that half the class would pass and be ready to move to the floor. To maintain it is even easier, just pay the money for the CE courses, which can be done in self-study, online or in an instructor-led class. There may or may not be an exam.
ACA has opened many new contact centers with new opportunities for agents to make more than the average $10/hour. ACA centers are busy hiring, educating and certifying new insurance agents everyday and prospering as a result.
Financial Services
While the financial planning industry has always had a series of certifications it is new to mortgage banking. The SAFE Mortgage Licensing Act of 2008 requires mortgage loan originators to register and be licensed with the Nationwide Mortgage Licensing System (NMLS). See the NMLS resource website for details on the requirements and SAFE MLO Test. Obtaining a NMLS license is mandatory for loan officers, processors, and other mortgage professionals who talk to customers. This is a state issued license allowing the individual to conduct business in that state.

The Mortgage Bankers Association (MBA) does provide a certificate for Certified Mortgage Banker and this is optional. It is the industry standard of professional success. The MBA provides training and education in both commercial and residential mortgage banking, as well as the examination and certification process.
Certified Financial Planners on the other hand, have had a series of certifications for years.
For example, here is the list:
Certified Financial Planner (CFP)
Chartered Financial Analyst (CFA)
Certified Fund Specialist (CFS)
Chartered Financial Consultant (ChFC)
Chartered Investment Counselor (CIC)
Certified Investment Management Analyst (CIMA)

Each designation signifies an education and experience level and the type of work these professionals conduct. While certifications are optional, securities licenses are not. Financial Planners and/or Financial Advisers at a minimum need to hold securities licenses such as Series 63, Series 6 and/or Series 7 depending on the type of work one is doing. The Financial Adviser holds only the security licenses and can work with customers. This is how most Certified Financial Planners get started since they need three years of experience before obtaining a certificate.

FedRAMP and Government Contact Centers

If your contact center provides services to any federal agencies you will need Federal Risk Authorization and Management Program (FedRAMP) certification.
This means you will need to adopt government security controls specified by FedRAMP and agree to compliance audits by independent security experts.
FedRAMP was created to accelerate the adoption of cloud solutions, increase confidence, achieve consistent security authorizations and increase the automation of continuous monitoring. FedRAMP has saved the Government 30-40% in costs and reduced the redundancy of assessment efforts. FedRAMP provides a standardized approach to security assessment, authorization and continuous monitoring of cloud products.
General Services Administration is responsible for the FedRAMP program and the certifying process of cloud service providers (CSP). Certifications are based on a unified risk management process that includes security requirements approved by the federal agencies. The FedRAMP certification process is quite intensive.
An initial step for CSPs interested in becoming FedRAMP compliant is completing a brief initiation request that provides summary information on their organization and cloud system and submitting a Readiness Assessment Report (RAR). To speed this process you might choose to work with a Third Party Assessment Organization (3PAO) who can maneuver the process more efficiently.



Company 1

Company 2

Company 3



NACSMA brings together like-minded professionals focused on advancing the customer contact industry and creating career growth.


Management of a best-in-class contact center sites require the continuous review of Agent Sourcing Models, Organizational Training and Management Development Programs.


NACSMA is a professional, non-profit association whose members represent customer contact organizations and the vendors who support them. 


When a contact center organization expands to an additional site or requires new space, the steps to properly implement are unique to each organization but do have standard phases.