Is Your Contact Center PCI Compliant?

Every company CEO has read the dire headlines about online security breaches, such as the one that hit Target last holiday season. Such incidents are not only costly; they are a public relations nightmare.

So the motivation is to protect the business and its valued customers at all costs. For call centers, security measures must be made in accordance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requires file encryption, secure storage and the deletion of certain information, such as the credit card security code.

To determine whether your contact center is PCI compliant, start with a review of these three areas:


Does your call recording technology provide a means to prevent the recording of sensitive data when it is not necessary? This can be as basic as a Pause and Resume option, or a Mute button. When cardholder data is transmitted and/or stored, it should be done only after this data has been encrypted. Any potential flaws in the system should be reviewed through a vulnerability management program.

Access Control

Both physical and logical access controls should be in place to restrict access to sensitive data. Access should be granted on a need-to-know basis only to those individuals who require it for the function of their jobs. Some contact centers address this by assigning a unique ID to all employees, so there will be an audit trail in the case of an unauthorized access. Given the employee turnover that exists at many contact centers, access rights to this data should be terminated immediately after an employee leaves the company.

Network Security

Make certain that every aspect of your contact center technology is as secure as possible. That starts with an effective firewall and router, as well as internal processes that provide additional layers of protection. All traffic from unsafe networks and hosts should be restricted, and there should never be any direct access between any network component containing cardholder data and the Internet. All remote devices used by contact center personnel should also provide adequate protection. Follow-up testing on all security systems and processes should be conducted on a regular basis.

For more information about this and other regulations, please also check this blog post about PCI compliance and regulations. Please note, that the list mentioned above is not a complete list of requirements – please make sure to read the official PCI regulations and other applicable regulations for a complete set of requirements and rules for your contact center.

And of course, you can always contact us if you have questions about call recording and compliance.