PCI Compliance in Zoom Contact Center

PCI Compliance in Zoom Contact Center
Discussing the Payment Card Industry's (PCI) requirements can often begin with grabbing a coffee. If you have ever engaged in these conversations, the results are often subjective, which leads to the general desire to descope an environment as much as possible. With the solution Zoom and PCI Pal has implemented, coffee becomes optional. In this post we will explore the implementation, its benefits, and how your organization may be able to descope your business processes.

Backgound on PCI

 
The PCI Security Standards Council has established a set of guidelines that regulate the handling of credit card information within various environments. There are guidelines published by the council that define the requirements for a merchant (the company who is collecting payments). The primary focus of the standards is to protect Card Holder Data (CHD) as it is shared across multiple systems. The merchant will leverage various vendors and solution providers to process the sale.
 
All of these components lead to a supporting Attestation of Compliance (AOC). The AOC enables the merchant to leverage various vendors' assertions to form their own AOC. Depending on the solution design and quantity of transactions, there could be quite a large effort to remediate and maintain a Card Holder Environment (CHE).
 
Figure 1: Combining Vendor AOC's to support a Customer AOC and a PCI Compliant Design
 
 
As we discuss the implementation and how it can benefit an organization, it is important to be mindful of the overall flow of the card-holder data. If card-holder data is present, compliance audits may be required. With the Zoom solution highlighted below, a merchant has the option to minimize this environment and its associated costs.
 
We will take a look at how Zoom and PCI Pal work together behind the scenes to enable customers to achieve PCI compliance in Zoom Contact Center.

Solution Overview

The solution takes advantage of the Zoom App Marketplace and Zoom Partner Solutions to enable PCI Compliant calls within an environment. There are many different ways to approach compliance, and with the solution detailed below there are opportunities to minimize the scope of an environment.
 
For the purposes of this section we will focus on two primary entities: the Agent and the Consumer. The Agent is an individual using Zoom Contact Center who will receive engagements through a voice, video, or messaging channel and is required to take payments from the Consumer in a secure fashion. The Consumer is the initiator of the engagement who is the payment cardholder. While text-based payment channels are avaliable, we will focus on engagements across the voice channel in the example.
 
Upon calling into Zoom Contact Center, the Consumer is directed through the menus and interactions based on the administrative queue design prior to being routed to the designated Agent. After the engagment has started there are two media flow segments that allow the Agent and Consumer to communicate with each other via a voice channel: (1) media is sent from the Consumer to the PSTN and ZCC infrastructure, and (2) media is sent between the ZCC infrastructure and the Agent's client. This is also an example of a traditional call into Zoom Contact Center.
 
 

Figure 2: Initial Phone Call setup

 

With the initial call established, the Agent is able to communicate with the Consumer until payment is to be collected. At that point, the Agent, within the PCI Pal Zoom App, (3) Launches a session to begin the payment collection. Using a combination of Zoom's and PCI Pal APIs, SIP is used to orchestrate additional call legs between the PSTN Provider, PCI Pal, and Zoom. These call legs facilate the media negotiation in a manner that relieves Zoom and the agent from processing, transmitting, and storing Card Holder Data. The initial call leg (4) remains connected between the PSTN Provider and Zoom. An additional call leg (5) is established from Zoom to PCI Pal. With the call leg (4) and (5) successfully connected, media (6) is negotiated directly between the PSTN Provider and PCI Pal. While the media is within PCI Pal, the Card Holder Data is removed. PCI Pal sends the signaling with an associated media stream back to Zoom (7). Once recieved, Zoom reconnects the flow to the Agent (8).
 
This media flow from PSTN to PCI Pal (6) contains Cardholder Data and is filtered upon entering the PCI Pal environment. The media is passed back to Zoom (7) and ultimately to the agent (8). This media path is only active for the duration of the payment process, which typicallys takes only a few minutes. The Agent has the ability to maintain communication with the Consumer during this time. With the media having Cardholder Data removed prior to arriving at Zoom, services such as recording are able to be sustained throughout the experience without increasing compliance scope.
 

 Figure 3: Payment in Process

 

After the payment is complete, the additional connections are automatically removed and media is established in the original setup: From the PSTN to Zoom (1) and from Zoom to the original Agent (2). An Agent is able to establish additional payment flows as needed.

Figure 4: Original Flow is re-established

Solution Takeaways

One of the items that may not be immediately obvious is the availability of Zoom Contact Center services for the call. The removal of Card Holder Data prior to the media arriving at Zoom allows the interaction to take advantage of Zoom Contact Center's features, from recording, transcriptions, and sentiment analysis to Quality Management for supervisory functions.
 
The architecture described above is unique to Zoom Contact Center, with multple design benefits. Other designs require any call that may need payment information to be required to connect to the payment processor (e.g., signaling). With the design connecting to Zoom as the core routing engine, only the calls needing to connect to a payment processor will establish to the integrated systems and only for the duration needed. This enables flexibilty of the call flows to operate normally unless a payment is needed, as well as smoother operation should a payment need to be taken unexpectedly.
 
Many other flows persistently connect through the secure payment solution. Aside from latency considerations, the other added benefit of the on-demand solution is around failure domains. While these systems have highly avaliable uptimes, systems connected in series have combined SLAs. With the solution implemented in Zoom Contact Center, the various systems have the ability to still connect the Consumer to the Agent should an integration have an issue.
 
Lastly, Zoom's platform-based designs allow these integrations to be leveraged for non-Zoom Contact Center users. Zoom Phone has similar capabilities that can be used if the user is not associated with a Zoom Contact Center queue.
 
On top of the unique benefits, integration with PCI Pal and assessing the Agent's workflows may enable your organization to limit its PCI Scope.

In Closing

Balancing the compliance and technology needs to implement a contact center supporting payments requires proper navigation. With Zoom Contact Center's integration with PCI Pal, there is additional flexibility to help reduce compliance complexities. We will be posting further articles focusing on how the integration is configured from the Administrator point of view.