PCI DSS customer responsibility matrix
This article describes how Payment Card Industry Data Security Standard (PCI DSS) requirements must be met in order to use the Genesys Cloud platform in a PCI-compliant manner. In accordance with requirement 12.8.5, this article indicates where the customer, Genesys Cloud, or both have responsibility to fulfill each PCI DSS requirement. The responsibilities indicated in the expandable matrix below do not replace or supersede pre-existing PCI DSS requirements that customers already have that apply to their own systems and practices.*
* For example, in the expandable matrix below, section 5 addresses responsibility for protecting all systems and networks from malicious software. This section of the matrix applies to Genesys Cloud-controlled systems. As shown by section 5.2.1, Genesys Cloud has responsibility for deploying anti-virus software on systems controlled by Genesys Cloud. Customers do not have any additional responsibility to deploy anti-virus software on Genesys Cloud-controlled systems. However, customers still have a responsibility to deploy anti-virus software on systems than the customer controls.
The Genesys Cloud platform achieved a PCI DSS assessment as a Level 1 Service Provider using version 4.0 of the PCI DSS standard. The Attestation of Compliance will be provided to customers under a non-disclosure agreement. Only Genesys Cloud features noted in the Report on Compliance as PCI-certified can be used to process, transmit, or store credit card information. PCI DSS requirements that apply only to a given Genesys Cloud feature are noted in the responsibility matrix. If a customer does not use that particular Genesys Cloud feature, those requirements do not apply.
The matrix below applies to customers using the native Genesys Cloud functionality. When a customer uses a third-party product, such as applications from the AppFoundry or technologies using the Bring your own technology services model, the customer and the third-party service provider may have additional shared responsibilities. These responsibilities are shared between the customer and the third-party service provider. The customer should check with the third-party service provider about PCI DSS compliance and shared responsibilities. Genesys Cloud does not share any additional PCI DSS responsibilities in this situation.
For more information, see PCI DSS compliance.
| Modified date (YYYY-MM-DD) |
Revision |
|---|---|
| 2024-07-01 | Updated matrix to include more details about Genesys and customer responsibilities. Consolidated the matrix into a single downloadable PDF document. |
| 2023-11-15 | Removed responsibilities not relevant to PCI DSS 4.0 standards. Remapped responsibilities for accuracy. |
| 2023-10-18 | Updated responsibilities and added new responsibilities pursuant to PCI DSS 4.0 standards. |
| 2023-03-22 | Added new responsibilities pursuant to PCI DSS 4.0 standards. |
