Diana Kelley

Lori Bocklund

Explaining PCI DSS compliance to contact center professionals is a different conversation than  with security pros. In the first of this two-part podcast, Lori Bocklund and Diana Kelley discussed the physical contact center and PCI compliance.

In the second podcast, Lori and Diana discuss ways that contact centers can prepare themselves for a PCI DSS audit, how much they can do themselves and how PCI affects some of the emerging contact center technologies like call recording and how to ensure compliance with email and chat.

Highlights of part II of the podcast are listed here:

• 00:30 How does PCI affect how contact centers address staffing, technology and process decisions?
• 2:15 How can contact centers prepare themselves for a PCI audit?
• 3:45 Can you do a self assessment or do you have to bring in a QSA? (well known term?)
• 8:30 What impact has PCI had on operational issues with things like home agents or outsourcing?
• 10:15 If I am using home agents what controls need to be in place?
• 12:20 How does PCI compliance affect things like average handle time and the customer experience and how are contact centers addressing that?
• 13:30 How does call recording, text and chat impact PCI compliance?
• 18:00 What about other sensitive data like social security numbers or health care information that contact centers need to think about putting controls around?

Diana Kelley

Raised cubicle walls, safe rooms for credit card data, different colored badges for different agents – it all seemed a bit draconian. Yet, many contact center managers are struggling with some of the stringent requirements for PCI DSS when they first run across them. It may not be a police state, but most contact center professionals need some help and advice. The security professionals often responsible for PCI DSS projects do not always understand the operations of the contact center, what’s important and what’s not. And the same goes for contact center managers dealing with PCI DSS auditors.

In an attempt to get the two sides together, SearchCRM.com News Director Barney Beal delved into some of these issues with Lori, president of Strategic Contact Inc., a call center

Lori Bocklund

consultancy and Diana Kelley, a partner with Security Curve.

The roundtable discussion covers PCI DSS compliance across a multitude of topics in two parts. In the first part, Diana and Lori discuss the physical requirements for complying with PCI in the contact center, the importance of clear communication between contact center and IT/security professionals and what Lori’s recent experience revealed about some unexpected requirements.

Highlights of first podcast are listed below: 1:00 Lori’s experience with a recent PCI audit regarding physical facility specifications

• 2:15 Are some of the physical requirements surprising people? (Maybe: Why are some of the physical requirements are surprising organizations?)
• 5:05 The PCI Security council talks about “best practices” and “common sense” steps but why is it so confusing to contact center professionals?
• 7:55 Has there been a shift in contact center responsibility for security? How so?
• 9:52 Does Lori’s experience jive with what Diana has seen from security professionals? What are the areas of PCI compliance open to interpretation? How do you deal with contact center with software vendors? (reread last question, not sure what you’re trying to say)
• 15:45 How can you address specific issues with an auditor?

There’s more information across SearchCRM.com, SearchSecurity.com and the web in general for contact center professionals interested in PCI DSS compliance.

SearchSecurity.com did a lengthy special report on PCI compliance featuring video of Diana Kelley and other PCI experts.

The PCI DSS standards body has offered some PCI compliance tips for contact centers.

Finally, the PCI standards body’s website is a valuable resource for organizations preparing for an audit.