I just had a couple real quick questions. The company I work for has just went PCI complaint. Since then they have slowly been taking away what has made the job jun. I do understand some, but what im trying to find is a complete list of things that can and can't be done as far as a agent in a call center. When this first started they took away the ability to have any kind of paper or pens. That I do understand. They have also gone from letting everyone browse the net with no restrictions to basicly allowing only work related items. What has recently become a problem is they claim having snack food on the call center floor is against pci compliance and have banned all food items except for drinks with lids. So Im just looking for a complete list of what is and isn't against PCI compliance. Thank you in advance for any help you can provide

Sounds like your employer is using the PCI DSS as the scape goat for things that should have been implemented a long time ago.

You obviously got the pens, pencils and paper right. Those can be PCI related issues if people write down cardholder data.

Restricting browsing of the Internet is also a PCI related issue. What they are trying to do is minimize the risk that a call center computer gets infected or compromised from the Internet. You should feel lucky that you have Internet access. Most call center personnel are not allowed access to the Internet as they are supposed to be making/receiving calls, not surfing the Web.

Food at call center workstations is not a PCI issue, it's just a bad idea. First, if you are eating, you really cannot take a call, so there is no reason for you to be at the workstation. This is why most call centers have break rooms, and most have really nice break rooms with TVs, microwaves, lounge chairs, etc. Second, call center workstations are usually shared by employees and no one wants to come to work to a work area with dried up lettuce, spilled mayo and catchup, or a poorly cleaned up work space. Besides, clean up takes time away from making or taking calls, so it's also a productivity issue.

Drinks are also not a PCI issue, but a necessity for call centers. It's tough for a call center worker to make or receive calls with a dry mouth and you want to minimize trips to drinking fountains. So the compromise is to allow drinks at the workstation with covers. The covers hopefully minimize the amount of spillage that occurs in the event of an accident. Not only is there an obvious clean up issue, but call center workstations are full of sensitive electronics that could be damaged by liquid spills. By requiring covers, the hope is that any spill would be limited and the electronics spared.

2 good desktop references for this sort of compliance are as follows:

Data Security Handbook - American Bar Association
CIPP Bibliography of Recommended Reading - International Association of Privacy Professionals