The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant. More information is available on the PCI Website.
Contact Cloud is a PCI-compliant merchant and can securely accept credit card payments for its services. We utilize a third party to process all credit card payments (a tokenization service). Because of this, we do not store any customer Cardholder Data.
If you expect that potentially sensitive cardholder data is being discussed over the phone, we recommend that you take extra steps to ensure that information is not being stored. Sensitive data could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Recommendation http://help.bipath.io/en/articles/4121686-redacting-information-for-privacy to Protect Phone Call Data:
Enable secure transcriptions: With Contact Cloud secure call transcriptions the system will detect when credit card information, social security information, or phone numbers are spoken during a call, tag the call appropriately, and redact that information from your call transcriptions and associated call recording.
Disable call recording: One way to be compliant is not to process, store, or transmit cardholder data on Contact Cloud such as in call recordings. You can turn on and off call recording on the call settings page (found within the numbers menu) for each of your accounts.
Stop/start recording: If you do need to record calls, both in the Contact Cloud softphone and through the API, you can allow your agents to turn on and off recording while a call is in progress, thus if sensitive information is being exchanged, it will not be recorded.
Redact Data from Contact Cloud Regularly: Redaction removes personal information from records of calls, texts, live chats and forms in your account. If you are under obligation to comply PCI, GDPR, CCPA or have other privacy concerns, you can enable redaction to manually or automatically remove personally identifying information from customer interactions in your account.
Limit Use of Call Notifications Post call notifications trigger emails each time a call comes in that matches certain criteria you have set. The emails often include links to listen to the audio recording for the call. To avoid these emails being sent, simply don’t set them up for your accounts or when setting up the notification, choose to not include the audio recording field.
Do not use Contact Cloud’s Online Fax service to transmit sensitive data covered under PCI.
Enable Two-Factor Authentication to Access Account: Two-factor authentication can be turned on at the agency level within the agency settings page (“manage feature access”). With this on, the system will send users a text message with a code to enter to log into any accounts within the agency. This can be required at each login or every 30 days, whichever you prefer. This adds an extra level of security for anyone trying to access any accounts in your agency.
As always, we recommend that customers seek guidance from their legal counsel if they have any compliance questions concerning their use of Contact Cloud. Contact Cloud does not provide legal advice, and it is up to the customer to determine how to best architect their use of Contact Cloud in order to comply with applicable laws.