The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle payment cards from the major card brands. While the standard itself applies to entities involved in payment card processing, the technology solutions employed by such entities are expected to facilitate compliance. Below is a summary of Bright Pattern features that enable contact centers to be PCI-DSS compliant.
Bright Pattern supports multi-tier/zone operation for PCI-compliant enterprise and multi-tenant deployments. Tenants have access only to their own resources and the critical system level-functions can be firewalled independently. API access can be restricted to specific IP ranges. Each tenant has its own data encryption key that can be changed at any time and is protected by a key encryption key, which is stored separately.
Bright Pattern uses a role-based system to control access to specific contact center functions, where access to client data is protected by special privileges. All user accounts are password protected and password complexity rules can be enforced at the service provider level for all system- and tenant-level accounts. Passwords are never displayed or stored in clear text. Accounts can be locked out after a pre-defined number of unsuccessful login attempts. Compromised and inactive accounts can be deactivated without losing any configuration or historical data associated with them. Inactive admin-level user sessions are terminated automatically.
Storage and Transmission of Sensitive Data
All data elements where cardholder information may appear can be encrypted for storage. This includes voice and screen recordings, email content, chat transcripts, as well as custom fields of calling lists and activity forms. Use of secure protocols can be enforced for all external interfaces involving transmission of this data. Logging of such data can also be completely disabled in production mode. To support the recent PCI requirement that prohibits storage of sensitive authentication data (PIN, CCV, etc.) in any form, voice recordings can be paused either manually by agents or by a third-party application via API for the duration of cardholder authentication. Cardholder authentication process can be delegated to an IVR application.
Audit logs contain information about all login sessions including unsuccessful attempts. For successful logins, all admin-level operations are logged including the date/time, type of operation, and affected resources. Access to audit log is protected by a dedicated privilege. Audit trail can be stored in a PCI-compliant manner (at least one year with immediate access to at least the last three months).