What are some FAQs regarding the PCI Pods?
Environment:
PCI pods (Includes US Federal Government pods)
Resolution:
Below are just a few considerations for implementing an Oracle B2C Service site within a PCI pod. See the Guidance documentation (link below) for more information.
1. What level of certification are the Payment Card Industry (PCI) environments?
Oracle B2C Service is certified as a Payment Card Industry Data Security Standard (PCI DSS) Service Provider Level I, which is the highest level available/possible.
2. Will our customers' credit card information be masked and/or encrypted?
By default, any Personal Account Numbers (PANs) captured will be masked on the user interface when accessing the site via the Agent Desktop Console or Browser User interface.
Example: ****-****-****-**** or ***-**-****
Any PAN captured intentionally must be stored in an encrypted custom attribute and appropriate profile established for those users that are permitted to see PAN. Documentation on how to setup these types of fields can be found here: https://docs.oracle.com/en/cloud/saas/b2c-service/famug/t-Add-a-field-to-a-custom-object-bf1194075.html
All accidentally provided PAN must be removed from your site. There are several features available to assist in preventing the capture:
- Incident Thread Masking – automatically and permanently truncate personal account number (PAN) when stored if entered into Incident Thread field.
- Chat Inlays Masking – automatically and permanently truncate personal account number (PAN) when entered into a Chat Message prior to being sent from the end-user’s window.
- Chat Masking using Enhanced Business Rules – automatically and permanently truncate personal account number (PAN) when stored if entered into Chat Question or Message field.
3. Can we still use our custom domain in the PCI environment?
Yes, however, an SSL certificate from a vendor (DigiCert is recommended) and SSL support will need to be purchased. It is recommended to reach out to your Sales Account Executive for purchasing information.
Another option would be to use a custhelp.com domain that we provide you.
4. How do we obtain vulnerability scans and/or penetration tests of your site?
Customers sometimes request to perform their own vulnerability scans or penetration tests on their PCI site(s). Oracle B2C Service does not permit this under any circumstances for routine audits. We will provide third-party scan and audit reports to current PCI customers, under an NDA. Speak to your Sales Account Manager for additional information.
5. Is HTTP supported in the PCI environment?
All sites in the PCI Pods must use HTTPS. We do not support HTTP traffic to these environments. Any work-around solution will require an Oracle Consulting Services engagement, to securely transport the data.
6. What will happen to my customizations?
Site customizations in the PCI environment must be reviewed prior to being moved into your production site. They are reviewed during this pre-screening process as well as during the regular security audit process. Customizations are assessed by your Technical Account Manager (TAM). The outcome of these reviews results in one of the following:
- an approval to move forward, or
- assistance by TAM with the technical team to adjust accordingly, or
- a recommendation to work with Oracle Consulting or an external Partner/resource to ensure the customizations won’t compromise your data security.
7. What protocols are supported for secure channel pop email?
- SSL/TLS for transmission of web inquiries and chat conversations
- S/MIME for end-to-end secure delivery of email
- Opportunistic TLS on our SMTP gateways
- We do not support pop3s for email retrieval
For additional information, please see the PCI DSS Responsibility Matrix.
For more information on implementing in a regulated environment such as PCI or HIPAA, please see Answer ID 9570: Guidance for Implementing in PCI or HIPAA Service Cloud Environment for specific deployment considerations.
If additional information is needed, please speak to your Sales Account Manager.