PCI DSS Compliance
Build and Maintain a Secure Network and Systems
| PCI DSS Requirements | Expertflow Compliance | Comments |
|---|---|---|
| Install and maintain a Firewall configuration to protect customer data | COMPLIANT | Hybrid chat can be deployed behind the firewall. It is responsibility of client/partner's network operations team. |
| Do not use vendor-supplied defaults for system passwords and other security parameters | COMPLIANT | You can specify the admin-password of your choice at the time of deployment. Password can be changed as well later on from the configuration files. |
| System should enforce policy for each newly created user, to change immediately the password supplied by admin at the time of creation. | PARTIAL-COMPLIANT | For Cisco Integrated deployments, user management is directly handled within the contact center. However, Expertflow does not enforce this policy in the stand-alone deployments where the users are created within the Expertflow system. |
| Password must be at least 4 and at most 16 characters long. It may contain numbers, characters, symbols and (should contain) a combination of upper and lower case letters. Each new password should start with a character and must have its first letter in uppercase. | PARTIAL-COMPLIANT | Password must be at least 8 characters. However, other policies are not implemented yet. |
| Every new/changed password must not be the same as last 4 (recently set) passwords. | NON-COMPLIANT | |
| User should be restricted to a maximum of 4 random login attempts. As soon as it completes the fourth wrong attempt to login to the application, system should block the user for a certain period. This period may be extended to 30 or 60 mins. | NON-COMPLIANT |
Protect Customer Data across open,public networks
| PCI DSS Requirements | Expertflow Compliance | Comments |
|---|---|---|
| Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive customer data during transmission over open, public networks (e.g. Internet, wireless technologies, Global System for Mobile communications [GSM], General Packet Radio Service [GPRS]). | COMPLIANT | All public communication is secured using TLS 1.2 certificates. |
Maintain a Vulnerability Management Program
| PCI DSS Requirements | Expertflow Compliance | Comments |
|---|---|---|
Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. | COMPLIANT | Every major product release is scanned for any new vulnerabilities using Trivy. |
| Develop internal and external software applications (including web-based administrative access to applications) securely, in accordance with PCI DSS (for example, secure authentication and logging) | PARTIAL-COMPLIANT | Role-based security via the centralized User Management module is implemented for most of the application interfaces. But, some APIs and URLs are still unsecured. They'll all be secured using the new Identity and Access Management module in the next major Hybrid Chat release 4.0. |
Implement Strong Access Control Measures
| PCI DSS Requirements | Expertflow Compliance | Comments |
|---|---|---|
| Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. | NON-COMPLIANT | A policy based security with role based permissions is under development and expected in Hybrid Chat release 4.0. |
| Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. | NON-COMPLIANT | This is not yet planned but may be scheduled on frequent customer demand after the major Hybrid Chat release 4.0. |
| Render all passwords unreadable during storage and transmission, for all system components, by using strong cryptography. | NON-COMPLIANT | This will be available in Hybrid Chat release 4.0. |
| Ensure proper user identification and authentication management. | PARTIAL-COMPLIANT | It's already partially supported via User management module but is going to be replaced with KeyCloak for Identity and Access management in Hybrid Chat release 4.0. |
Regularly Monitor and Test Networks
| PCI DSS Requirements | Comments |
|---|---|
Track and monitor all access to network resources and customer data | This is customer/partner responsibility. |
Regularly test security systems and processes | This is customer/partner responsibility. |
Maintain an Information Security Policy
| PCI DSS Requirements | Comments |
|---|---|
| Maintain a policy that addresses information security for all personnel. | This is customer/partner responsibility. |