If your business or organization accepts payment cards, it is in your best interest to become compliant with PCI-DSS. In addition to the standards, there are many other actions you can take to help prevent breaches of sensitive card and personal information. Below are just a few best practices. More best practices are found in a complimentary document from VPI CallCenter Recording Guide to PCI-DSS Compliance.
1. Work with your information technology department before implementing contact center-specific solutions. Compliance is an organization-wide commitment. IT may have an overall security plan that contact centers must adopt. For example, individuals that require access to archived calls that may include card data must be specifically authorized to access this information.
2. Make sure your order entry, new customer applications, and any other customer data bases that your agents frequently access mask out credit, debit, and other sensitive information.
3. Limit the amount of time that card information is kept in the call recording server database (both voice and screen recordings). It may be necessary for corporate governance, legal and QA departments to work out a compromise between what is needed to adhere to the PCI-DSS and 4. Segment contact center operations so that a limited number of employees have access to payment card data. For example, payment card information can be entered by a sales agent, but a customer service representative may have access only to the masked PAN
4. Be very careful about who you hire. If the agent will be accepting card payments or otherwise be privy to sensitive personal information, conduct a thorough background check before extending a payment offer.