PCI DSS (Payment Card Industry Data Security Standard) is an industry baseline of security requirements on how to protect cardholder data.
How does this standard apply to contact centers and cloud contact center software? First, the compliance of a cloud provider does not automatically mean the compliance of the contact center using it, although it’s a great starting point. In more detail, here are how each of the 12 requirement areas affect contact centers:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Both contact center and a cloud provider must maintain firewalls and associated procedures.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
As a rule, cloud vendors do not offer default passwords. Contact centers should avoid using placeholder passwords during initial user list import, or better yet, use a SAML2 authentication provider. Contact centers should also limit system access to a limited selection of personnel, each at appropriate access level.
Requirement 3: Protect stored cardholder data
Contact centers should avoid storing cardholder data in cloud contact centers. Cloud vendors offer a number of tools to identify and exclude cardholder data from recordings, transcripts and reporting data, and they should be used to the full extent. When it is not possible to exclude the data, encryption options must be enabled.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Contact centers must ensure vendors require strong TLS encryption for communication between personnel and a cloud system. Contact centers must require strong encryption for data points within the organization that are accessed by cloud system.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Both cloud contact center software provider and contact center must have malware and virus protection and take great care to avoid spreading the infections.
Requirement 6: Develop and maintain secure systems and applications
A contact center must work with their cloud provider to incorporate each other’s security measures into the contact center’s security perimeter. They also need to establish and follow change procedures to maintain that perimeter’s integrity.
Requirement 7: Restrict access to cardholder data by business need to know
Contact centers should avoid storing cardholder data in the cloud contact center systems. When impossible to avoid, access to encrypted data must be restricted by roles, privileges and assignments.
Requirement 8: Identify and authenticate access to system components
For contact centers, this requirement translates to never sharing user IDs, maintaining current user lists, of both employees and contractors, and making sure that cloud application’s compliant access control mechanisms are enabled.
Requirement 9: Restrict physical access to cardholder data
Contact centers must ensure that cloud contact center providers and their infrastructure partners follow physical access control requirements – the fact of vendor certification helps here.
Requirement 10: Track and monitor all access to network resources and cardholder data
Cloud providers must maintain audit logs of all system access events and modifications – contact centers must monitor this information, too.
Requirement 11: Regularly test security systems and processes
Both the providers’ and contact centers’ systems must be penetration-tested regularly.
Requirement 12: Maintain a policy that addresses information security for all personnel
While both the provider and contact center must maintain the policy, the contact center must ensure the policies are compatible.
Bright Pattern is a certified provider of cloud contact center software; we are happy to work with you to establish and maintain your contact center’s PCI compliance.