Genesys Cloud PCI compliance deals only with our handling of information on the Genesys Cloud platform, and its transmission of information to another platform. Your proposed workflow would need to be separately vetted by a PCI auditor, as it extends beyond the boundaries of Genesys cloud, but the Genesys Cloud portion of this would remain in compliance by virtue of leveraging the secure flow and a data action to securely transmit PCI related data to an external platform.
My response was really more in relation the overall security of data actions, and specifically pointing out that the information sent to an external web service via a data action is 1. already encrypted via the TLS transport mechanism, and 2. not logged as part of the data action process. The mention of secure flows had more to do with further limiting logging and blocking recording. Encrypting strings prior to sending data over an encrypted channel is not really necessary if you're simply worried about protecting sensitive data.
------------------------------
Richard Schott
Genesys - Employees
------------------------------
Original Message:
Sent: 04-27-2021 11:46
From: Robert Wakefield-Carl
Subject: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?
Richard,
Are you saying that if from a Secure Flow, we send out credit card and token to another service like Lambda or an https web service to create the JWE, we will still remain PCI-compliant?
------------------------------
Robert Wakefield-Carl
Avtex Solutions, LLC
Contact Center Innovation Architect
robertwc@avtex.com
https://www.Avtex.com
https://RobertWC.Blogspot.com
Original Message:
Sent: 04-27-2021 09:50
From: Richard Schott
Subject: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?
What exactly are you trying to accomplish with the encryption? Is it a concern over securely transmitting it to the external web service? If so, all data actions utilize TLS 1.2 or 1.3 as the transport mechanism, and do not log the payloads of the request or response. Additionally, you can leverage secure IVR flows within Genesys Cloud, which eliminates logging and recording within the IVR session so the variables you're setting within the flow and sending to the external web service are not captured anywhere within Genesys Cloud.
------------------------------
Richard Schott
Genesys - Employees
Original Message:
Sent: 04-26-2021 23:17
From: Ajay Vadluri
Subject: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?
I think GC should natively provide us option to encrypt the variables from architect, implementing any middleware like a lambda function still we have to send data as json body to lambda for encryption and GC logs would still have sensitive data as plain text for data actions so middleware still defeats the purpose. other cloud vendors like incontact provides such flexibility as string functions https://help.incontact.com/Spring21/EN/Content/Studio/Actions/SNIPPET/hash.htm?Highlight=encrypt, GC should have something like this in their roadmap. i have created an idea for this https://genesyscloud.ideas.aha.io/ideas/CLPLA-I-1170 if you are interested please vote for this.
------------------------------
Ajay Vadluri
Kroll Information Assurance Inc.
Original Message:
Sent: 04-26-2021 05:34
From: Taras Buha
Subject: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?
Hi Ajay,
As far as a I know GC does not have functionality to encrypt task/flow variables. But you can implement your own middleware between GC and Customer to encrypt data before sending to Customer end points.
------------------------------
Taras Buha
Noralogix PTY (Ltd)
Original Message:
Sent: 04-23-2021 03:26
From: Ajay Vadluri
Subject: can we encrypt flow variables in Architect before sending sensitive data via json body of post request to customer endpoints?
can we encrypt task/flow variables for sending sensitive data in json body to customer end points in additional to various security mechanisms provided by Genesys like https, mTLS, OAuth, etc. ?
#PlatformAdministration
#Roadmap/NewFeatures
#Routing(ACD/IVR)
#Security
------------------------------
Ajay Vadluri
Kroll Information Assurance Inc.
------------------------------