If you are leveraging a call center environment, one of the best strategies you can employ to achieve PCI compliance is network segmentation. The reason this strategy is very sound from a call center standpoint is because of all of the resources. Call Agent Desktops can use a standard image for OS/Software deployment. What this does is reduce the overall time required for assessing this segment of your environment from a PCI standpoint. While all controls within the DSS are applicable within this segment, only a subset of these controls will actually be required to achieve compliance in this network segment because only certain controls are applicable to a desktop environment. Additionally, by segmenting your Call Center environment, you take the remainder of your Corporate network out of scope for PCI compliance assuming cardholder data is not being stored, processed, or transmitted anywhere else.
Now, what this also means is that your Call Center Software, Interactive Voice Recognition or Dual-Tone Multi-Frequency will be in scope for PCI as well as calls will be routed through these solutions to reduce overhead and increase sales. Most Call Center Software packages now have PCI compliant modules or plugins that aid in achieving and maintaining PCI compliance, but for the ones that do not TokenEx suggests segmenting these environments as well so they do not bring the Corporate environment into PCI scope. In fact, a strategy that we have seen used by a number of our organizations is simply putting the Call Center Software environment into the PCI Cardholder Data Environment (CDE).
For more information or guidance on PCI Compliance in the Call Center, please contact TokenEx.