It's no secret that becoming PCI DSS compliant is not easy. There are lots of technical issues that need to be overcome, some of which I blogged about earlier in the year. However the biggest issue in a secure process is often the people involved. If you can limit the number of people that are exposed to sensitive data and you can limit the amount of data they can see, then the more secure you are going to be.
The ideal solution to this is if your people are never exposed to cardholder data in the first place. If you don't have the data then you can't lose it.
Thankfully there are solutions and techniques such as tokenisation that make this a reality.
Using products such as our new mid-call IVR service allows companies to offload a lot of the cost and risk of providing PCI compliance to SaaS providers such as ourselves.
You could create your own PCI DSS compliant processes and get your call centre agents to handle the credit card payments, however it's very easy to underestimate the complexity, cost and risks of doing so. If you do it properly then you are going to have to shackle your agents and remove their privacy. We believe very strongly that to deliver great service the you need to need to have happy and well motivated agents, putting further draconian restrictions on them is not the way to do this.
It just makes far more sense to concentrate on doing what you do best, providing great service for your customers, and offloading the security, fraud and compliance risks to a SaaS provider.