PCI DSS compliance

Genesys Cloud is committed to respecting the privacy of you and your customer’s information, including electronic cardholder data. Genesys Cloud offers several deployment models that comply with PCI DSS (Payment Card Industry Data Security Standard) for accepting, processing, storing, or transmitting payment card information. By adhering to these standards, an organization ensures the security of credit, debit, and cash card transactions and protects cardholders against fraud or other misuse of their personal information. Ask a sales representative about specific compliance matters including PCI DSS-compliant deployment models and third-party compliance verification.

What is PCI DSS?

PCI DSS is a proprietary information security standard for organizations that handle payment card information. The PCI Standard is mandated by payment card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually.

How has Genesys Cloud’s PCI DSS compliance been validated? 

Genesys Cloud’s PCI DSS compliance has been validated by an external Qualified Security Assessor (QSA).

What level and version of PCI DSS compliance is Genesys Cloud?

Genesys Cloud is Service Provider Level 1 compliant with PCI DSS version 3.2.

Can I review the Genesys Cloud Attestation of Compliance (AOC) for PCI DSS?

Genesys Cloud may distribute the PCI DSS AOC to interested parties after they execute a non-disclosure agreement (NDA) with Genesys Cloud.  

To receive an NDA from Genesys Cloud, contact your Customer Success Manager or sales account executive.

What features are PCI DSS-compliant?

Secure Pause and Secure Call Flows have been validated by an external Qualified Security Assessor as Level 1 PCI DSS-compliant. 

Two voice BYOT servicesAmazon Lex and Google Dialogflow, have been validated by an external Qualified Security Assessor as Level 1 PCI DSS-compliant. 

Caution: Using non-PCI DSS-compliant features to store, process, or transmit cardholder data is not covered under the terms of the Genesys Cloud license.

What deployment models are PCI DSS-compliant?

Genesys Cloud Voice is PCI DSS-compliant with either local Edge devices or virtual edges.

BYOC (Bring Your Own Carrier) Premises is PCI DSS-compliant.

BYOC Cloud is PCI DSS-compliant.

How can I sign up for Genesys Cloud with PCI DSS compliance?

If you are an administrator, you can check the status of your organization’s PCI compliance by reviewing the PCI DSS compliance setting on the Manage Organization page: Settings tab. The PCI DSS compliance setting is sometimes referred to as the PCI DSS toggle.

If your organization requires a PCI-compliant Genesys Cloud organization, please contact Genesys Cloud Customer Care.

What is different in Genesys Cloud with the PCI DSS compliance setting enabled?

Genesys Cloud provides PCI DSS-compliant organizations a similar user interface and user experience as non-PCI DSS-compliant organizations. PCI DSS-compliant organizations disable the logging of DTMF and media capture by the Edge. 

Note: Genesys Cloud provides the same high level of security to all organizations. PCI DSS-compliant organizations and non-PCI DSS-compliant organizations are equally secure.

What are my responsibilities for using Genesys Cloud in a PCI DSS-compliant manner?

First, contact Genesys Cloud to enable the PCI setting, which is found on the Manage Organization page: Settings tab.  This setting notifies Genesys Cloud that you intend to use Genesys Cloud for cardholder data transactions.  

Next, determine how handle transactions involving cardholder data in Genesys Cloud. You have two options:

  • Use Secure Pause. When activated, Secure Pause temporarily stops recording to exclude sensitive information, such as entry of a credit card number. Before receiving cardholder data using Genesys Cloud, an agent must always initiate Secure Pause to stop recording. After receiving cardholder data, to resume recording the agent must deactivate Secure Pause.
  • Use Secure Flow. When activated, a secure flow temporarily prevents system recording or agent access to a caller’s entry of sensitive information, such as cardholder data. Before receiving cardholder data using Genesys Cloud, an agent must transfer a call to a Secure Flow. After cardholder data has been received, the call may be transferred back to the agent.
  • Use an approved BYOT service, either Amazon Lex or Google Dialogflow. Because Amazon Lex and Google Dialogflow are provided by third parties, you are responsible for ensuring that your license and use of those third party services complies with their own terms for PCI DSS.

If you are using an Edge, you must choose TLS v1.2 for authentication.

For more information, see PCI DSS customer responsibility matrix.  

If you are using a third-party product, such as applications from the AppFoundry or technologies using the Bring your own technology services model, you and the third-party service provider may have additional shared responsibilities for operating Genesys Cloud in a PCI DSS-compliant manner. These responsibilities are shared between you and the third-party service provider. Check with the third-party service provider about PCI DSS compliance and shared responsibilities.