What are some FAQs regarding the PI Pod (PCI)?
PCI/DSS, PI pod
Below are just a few considerations for implementing an Oracle B2C Service site within the PCI pod. See the Guidance documentation (link below) for more information.
1. What level of certification is the Payment Card Industry (PCI) environment (PI Pod)?
Oracle B2C Service is certified as a Payment Card Industry Data Security Standard (PCI DSS) Service Provider Level I, which is the highest level available/possible.
2. Will our customers credit card/social security number information be masked/encrypted?
Yes, customer sites in the PCI Cloud may store PANs (Primary Account Number, i.e. Credit Card Number) and/or SSNs in their databases. By default the PANs will be masked when accessing the site via the Agent Desktop or Web interface.
Example: ****-****-****-**** or ***-**-****
3. What is shared in the PCI environment?
Everything is shared (all hardware) except:
- Exchange root
- Own DB
- Unique authentication credentials at the database tier
- Own application environment
4. Can we still use our custom domain in the PI pod?
Yes, however, an SSL certificate from a vendor (Digicert is recommended) and SSL support will need to be purchased. It is recommended to reach out to your Sales Account Executive for purchasing information.
Another option would be to use a custhelp.com domain that we provide you.
5. How do we obtain vulnerability scans and/or penetration tests of your site?
Customers sometimes request to perform their own vulnerability scans or penetration tests on their PCI site(s). Oracle B2C Service does not permit this under any circumstances for routine audits. We will provide third-party scan and audit reports to current PCI customers, under an NDA. Speak to your Sales Account Manager for additional information.
6. Is HTTP supported on the PI Pod?
All sites in the PI Pod must be HTTPS. We do not support HTTP traffic to these environments. Any work-around solution will require an Oracle Consulting Services engagement, to securely transport the data.
7. What will happen to my customizations?
Site customizations in the PCI environment must be reviewed prior to moving into the PCI Cloud, and then once annually. This is reviewed during the pre-screen and security audit process prior to the PCI migration. Customizations will either be OK'd by Oracle Consulting or if additional changes to the customization(s) are need to be made for them to be compliant, they will be scoped by Oracle Consulting.
8. When should the actual migration be scheduled?
It is suggested for the migration to be conducted during down business hours when the least amount of agents and customers will be affected.
9. What is the expected downtime during migration?
Every customer is different. Typical downtime depends on size of site and customizations. Length of migration depends on a number of factors, and primarily from experience the number of mailboxes plays a large role in the time it takes. Each mailbox has to perform an LDAP call back to CA which is time consuming.
Time allotted for DNS to propagate around the world is also expected. However, there is a process in place that will allow agents and end-users to access your site from the previous pod until DNS propagates. It all depends on where the agent/end-user is located. Agents may or may not need to log in and out of the application.
10. What protocols are supported for secure channel pop email?
- SSL/TLS for transmission of web inquiries and chat conversations
- S/MIME for end-to-end secure delivery of email
- Opportunistic TLS on our SMTP gateways
- We do not support pop3s for email retrieval
For additional information, please see the PCI DSS Responsibility Matrix.
For more information on implementing in a regulated environment such as PCI or HIPAA, please see Answer ID 9570: Guidance for Implementing in PCI or HIPAA Service Cloud Environment for specific deployment considerations.
If additional information is needed, please speak to your Sales Account Manager.