If you are leveraging a contact center environment, one of the best strategies you can employ to achieve PCI compliance is network segmentation. The reason this strategy is very sound from a contact center standpoint is because of all of the resources. Call Agent Desktops can use a standard image for OS/Software deployment. This reduces the overall time required for assessing this segment of your environment from a PCI standpoint. While all controls within the DSS are applicable within this segment, only a subset of these controls will actually be required to achieve compliance in this network segment because only certain controls are applicable to a desktop environment. Additionally, by segmenting your Contact Center environment, you take the remainder of your Corporate network out of scope for PCI compliance assuming cardholder data is not being stored, processed, or transmitted anywhere else.
Now, what this also means is that your Contact Center Software, Interactive Voice Recognition or Dual-Tone Multi-Frequency will be in scope for PCI as well as calls will be routed through these solutions to reduce overhead and increase sales. Most Contact Center Software packages now have PCI compliant modules or plugins that aid in achieving and maintaining PCI compliance, but for the ones that do not TokenEx suggests segmenting these environments as well so they do not bring the Corporate environment into PCI scope. In fact, a strategy that we have seen used by a number of our organizations is simply putting the Contact Center Software environment into the PCI Cardholder Data Environment (CDE).
For more information or guidance on PCI Compliance in the Contact Center, please contact TokenEx.