PCI DSS compliance

PureCloud is committed to respecting the privacy of you and your customer’s information, including electronic cardholder data. PureCloud offers several deployment models that comply with PCI DSS (Payment Card Industry Data Security Standard) for accepting, processing, storing, or transmitting payment card information. By adhering to these standards, an organization ensures the security of credit, debit, and cash card transactions and protects cardholders against fraud or other misuse of their personal information. Ask a sales representative about specific compliance matters including PCI DSS-compliant deployment models and third-party compliance verification.

What is PCI DSS?

PCI DSS is a proprietary information security standard for organizations that handle payment card information. The PCI Standard is mandated by payment card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually.

How has PureCloud’s PCI DSS compliance been validated? 

PureCloud’s PCI DSS compliance has been validated by an external Qualified Security Assessor (QSA).

What level and version of PCI DSS compliance is PureCloud?

PureCloud is Service Provider Level 1 compliant with PCI DSS version 3.2.

Can I review the PureCloud Attestation of Compliance (AOC) for PCI DSS?

PureCloud may distribute the PCI DSS AOC to interested parties after they execute a non-disclosure agreement (NDA) with PureCloud.  

To receive an NDA from PureCloud, contact your Customer Success Manager or sales account executive.

What features and deployment models are PCI DSS compliant?

Secure Pause and Secure Call Flows have been validated by an external Qualified Security Assessor as Level 1 PCI DSS-compliant.  Both Secure Pause and Secure Call Flows are certified for PCI Compliance with either local Edge devices or with virtual edges and PureCloud Voice in any deployment region.

BYOC (Bring Your Own Carrier) Premises is PCI DSS compliant.

BYOC Cloud has not yet been validated for PCI DSS compliance.

Caution: Using non-PCI DSS-compliant services to store, process, or transmit cardholder data is not covered under the terms of the PureCloud license.

How can I sign up for PureCloud with PCI DSS compliance?

If you are an administrator, you can check the status of your organization’s PCI compliance by reviewing the PCI DSS compliance setting on the Manage Organization page: Settings tab. The PCI DSS compliance setting is sometimes referred to as the PCI DSS toggle.

If your organization requires a PCI-compliant PureCloud organization, please contact PureCloud Customer Care.

What is different in PureCloud with the PCI DSS compliance setting enabled?

PureCloud provides PCI DSS-compliant organizations a similar user interface and user experience as non-PCI DSS-compliant organizations. PCI DSS-compliant organizations disable the logging of DTMF and media capture by the Edge. 

Note: PureCloud provides the same high level of security to all organizations. PCI DSS-compliant organizations and non-PCI DSS-compliant organizations are equally secure.

What are my responsibilities for using PureCloud in a PCI DSS-compliant manner?

First, contact PureCloud to enable the PCI setting, which is found on the Manage Organization page: Settings tab.  This setting notifies PureCloud that you intend to use PureCloud for cardholder data transactions.  

Next, determine how handle transactions involving cardholder data in PureCloud. You have two options:

  • Use Secure Pause. When activated, Secure Pause temporarily stops recording to exclude sensitive information, such as entry of a credit card number. Before receiving cardholder data using PureCloud, an agent must always initiate Secure Pause to stop recording. After receiving cardholder data, to resume recording the agent must deactivate Secure Pause.
  • Use Secure Flow. When activated, a secure flow temporarily prevents system recording or agent access to a caller’s entry of sensitive information, such as cardholder data. Before receiving cardholder data using PureCloud, an agent must transfer a call to a Secure Flow. After cardholder data has been received, the call may be transferred back to the agent.

If you are using an Edge, you must choose TLS v1.2 for authentication.

For more information, see PCI DSS customer responsibility matrix.  

If you are using a third-party product, such as applications from the AppFoundry or technologies using the Bring your own technology services model, you and the third-party service provider may have additional shared responsibilities for operating PureCloud in a PCI DSS-compliant manner. These responsibilities are shared between you and the third-party service provider. Check with the third-party service provider about PCI DSS compliance and shared responsibilities.