There are many ways that contact centers can be PCI compliant in their day-to-day interactions. No matter how simple or obvious they seem, all contact centers should mirror these security best practices to meet PCI DSS requirements:
Install and maintain firewalls to protect cardholder data
Both contact centers and cloud providers must maintain firewalls and associated procedures to separate confidential data from the rest of their corporate networks. Firewalls should provide secure access through strong encryption, and management access should be limited.
Don’t use default or placeholder passwords, ever
As a rule, cloud vendors do not offer default passwords. Contact centers should avoid using placeholder passwords (e.g., “Changeme”) during initial user list import. SAML2 authentication is preferred. System access should be restricted to a limited selection of personnel.
Avoid storing cardholder data; if you must, encrypt it
Cardholder data should not be stored in cloud contact centers. Cloud vendors offer a number of tools to identify and exclude cardholder data from recordings, transcripts, and reporting data. When it is not possible to exclude the data, encryption options must be enabled.
Encrypt all data exchanged on open, public networks
Contact centers must ensure vendors require strong TLS encryption for communication between personnel and a cloud system. Contact centers, too, must require strong encryption for data points within the organization that are accessed by a cloud system.
Use anti-malware and antivirus protection software
Both cloud contact center software providers and contact centers must have operational procedures for protecting systems against malware and viruses, and systems should be monitored regularly. Should either get a virus, great care must be taken to avoid spreading it.
Establish and follow procedures for securing systems
Contact centers must work with their cloud providers to incorporate each other’s security measures into the contact centers’ security perimeter. They also need to establish and follow change procedures to maintain that perimeter’s integrity and identify potential vulnerabilities.
Restrict who has access to encrypted cardholder data
Contact centers should avoid storing cardholder data in cloud contact center systems. When impossible to avoid, access to encrypted data must be restricted by roles, privileges, and assignments. Segmenting access can both improve security for the entire contact center.
Authenticate at every point of entry to the contact center
For contact centers, this requirement translates to never sharing user IDs, always maintaining current user lists of both employees and contractors, and making sure that all cloud applications’ compliant access control mechanisms are enabled for contact centers at all times.
Make sure providers restrict physical access to data too
Contact centers must ensure that cloud contact center providers and their infrastructure partners follow physical access control requirements. Vendor certification, especially third-party certification, can validate any cloud provider’s claim for PCI security compliance.
Monitor all audit logs of system access and changes
Cloud providers must maintain audit logs of all system and network access events and modifications, and contact centers must monitor this information, too. Additionally, contact centers should make a habit of removing or disabling inactive users from the system.
Test security measures often to expose areas of weakness
Providers’ and contact centers’ systems must be penetration-tested regularly. More than just a vulnerability scan, a penetration test can include the identification of vulnerabilities, as well as a simulation of a real-world attack to see how an attacker may successfully penetrate the network.
Educate employees on your information security policies
While both providers and contact centers must maintain the policy, contact centers must ensure the policies are compatible, in use, and known to everyone involved. Contact centers should implement, publish, maintain, and disseminate security policies to all users.