[rbobby]

Part of the solution is that the admin functions do not collect credit card details at all. So through the admin site/app a customer service rep can't do an actual purchase.

That won't stop a customer service rep from using the retail site though.

I suppose you could monitor the retail site's log files and throw notifications when a customer service IP makes a purchase. Maybe also throw notifications when a customer's repeat business comes from a different IP (though this could be noisy).

Trying to block customer rep access to the retail site might be pretty tough. You'd need to really lock down a rep's workstation because they could be remoting into their home machine... assuming the rep was out to steal cards. At this level of paranoia I would expect all calls to be "monitored for quality assurance".

Hmm... there's an idea for a call center application addon. Use voice to text and machine learning to identify calls where a credit card number is asked for and/or spoken. This could be pretty easy once the voice to text is right (basically looking for strings of digits, maybe with long pauses between groups or "ok", "got it", "yeah").