The solution takes advantage of the
Zoom App Marketplace and
Zoom Partner Solutions to enable PCI Compliant calls within an environment. There are many different ways to approach compliance, and with the solution detailed below there are opportunities to minimize the scope of an environment.
For the purposes of this section we will focus on two primary entities: the Agent and the Consumer. The Agent is an individual using Zoom Contact Center who will receive engagements through a voice, video, or messaging channel and is required to take payments from the Consumer in a secure fashion. The Consumer is the initiator of the engagement who is the payment cardholder. While text-based payment channels are avaliable, we will focus on engagements across the voice channel in the example.
Upon calling into Zoom Contact Center, the Consumer is directed through the menus and interactions based on the administrative queue design prior to being routed to the designated Agent. After the engagment has started there are two media flow segments that allow the Agent and Consumer to communicate with each other via a voice channel: (1) media is sent from the Consumer to the PSTN and ZCC infrastructure, and (2) media is sent between the ZCC infrastructure and the Agent's client. This is also an example of a traditional call into Zoom Contact Center.
Figure 2: Initial Phone Call setup
With the initial call established, the Agent is able to communicate with the Consumer until payment is to be collected. At that point, the Agent, within the PCI Pal Zoom App, (3) Launches a session to begin the payment collection. Using a combination of Zoom's and PCI Pal APIs, SIP is used to orchestrate additional call legs between the PSTN Provider, PCI Pal, and Zoom. These call legs facilate the media negotiation in a manner that relieves Zoom and the agent from processing, transmitting, and storing Card Holder Data. The initial call leg (4) remains connected between the PSTN Provider and Zoom. An additional call leg (5) is established from Zoom to PCI Pal. With the call leg (4) and (5) successfully connected, media (6) is negotiated directly between the PSTN Provider and PCI Pal. While the media is within PCI Pal, the Card Holder Data is removed. PCI Pal sends the signaling with an associated media stream back to Zoom (7). Once recieved, Zoom reconnects the flow to the Agent (8).
This media flow from PSTN to PCI Pal (6) contains Cardholder Data and is filtered upon entering the PCI Pal environment. The media is passed back to Zoom (7) and ultimately to the agent (8). This media path is only active for the duration of the payment process, which typicallys takes only a few minutes. The Agent has the ability to maintain communication with the Consumer during this time. With the media having Cardholder Data removed prior to arriving at Zoom, services such as recording are able to be sustained throughout the experience without increasing compliance scope.
Figure 3: Payment in Process
After the payment is complete, the additional connections are automatically removed and media is established in the original setup: From the PSTN to Zoom (1) and from Zoom to the original Agent (2). An Agent is able to establish additional payment flows as needed.
Figure 4: Original Flow is re-established