The Inner Circle

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data. 

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Original Message:
Sent: 5/27/2021 3:20:00 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data. 

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Hi Greg,
Your company provide service in scope for PCI-DSS, and your customer should require proof of compliance against PCI-DSS.
Unfortunately, if you are in scope, you have to be compliant. Your customer is assessed probably as a Merchant, but your company has to be assessed as a PCI-DSS Service Provider. To understand the Service Provider level, you need to speak with your customer and QSA.
Without your compliance, even your customers are at risk of non-compliance.

Thanks,

------------------------------
Marco Ricci
------------------------------

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Thanks Marco,

Is the sub-level of PCI-DSS Compliance that I could be certified for? 

I was considering this against Open Banking, where they have a certification for the data holder i.e. Bank, and another certification for the Data Recipient i.e. a FinTech who might analyse your banking transactions.

------------------------------
Greg Collins
CTO
------------------------------

Original Message:
Sent: May 27, 2021 02:53:39 AM
From: Marco Ricci
Subject: Requirements for having PCI data pass through your system

Hi Greg,
Your company provide service in scope for PCI-DSS, and your customer should require proof of compliance against PCI-DSS.
Unfortunately, if you are in scope, you have to be compliant. Your customer is assessed probably as a Merchant, but your company has to be assessed as a PCI-DSS Service Provider. To understand the Service Provider level, you need to speak with your customer and QSA.
Without your compliance, even your customers are at risk of non-compliance.

Thanks,

------------------------------
Marco Ricci

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Hi Greg,
That's correct; your company has to be assessed against PCI-DSS.
In PCI-DSS, there are only two levels for Service Providers, and the criteria are straightforward:
Level 1: Service providers that process, transmit and/or store more than 300,000 transactions per year.
Level 2: Service providers that process, transmit and/or store fewer than 300,000 transactions per year.
Different level means different annual validation criteria.
Very important, review the contract with your "PCI-DSS customers" you should have clauses related to PCI-DSS.

------------------------------
MarcoRicci
Senior Cyber Compliance Manager
------------------------------

Original Message:
Sent: May 27, 2021 02:26:03 PM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

Thanks Marco,

Is the sub-level of PCI-DSS Compliance that I could be certified for?

I was considering this against Open Banking, where they have a certification for the data holder i.e. Bank, and another certification for the Data Recipient i.e. a FinTech who might analyse your banking transactions.

------------------------------
Greg Collins
CTO

Original Message:
Sent: May 27, 2021 02:53:39 AM
From: Marco Ricci
Subject: Requirements for having PCI data pass through your system

Hi Greg,
Your company provide service in scope for PCI-DSS, and your customer should require proof of compliance against PCI-DSS.
Unfortunately, if you are in scope, you have to be compliant. Your customer is assessed probably as a Merchant, but your company has to be assessed as a PCI-DSS Service Provider. To understand the Service Provider level, you need to speak with your customer and QSA.
Without your compliance, even your customers are at risk of non-compliance.

Thanks,

------------------------------
Marco Ricci

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Hi Greg,

Can you have them remove the PCI data before you get the audio?  You are definitely in scope as a service provider since you will have access to PCI data.

This is really a liability for both you and your customer. Your customer shouldn't be giving you the PCI data if they don't need to and can remove it prior to giving it you.

Or is there a third party service that is PCI certified that you can use to scrub the data before sending it to you?  You would have to get your customer on board but will be cheaper and less burdensome for your organization to go this route.

Troy

------------------------------
Troy Fine
Schneider Downs
Schneider Downs
------------------------------

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Hi Troy, thanks for your comments.

Because we are not PCI certified the customer won't be giving us this data. I was hoping there was something I could do to mitigate the risk on both sides, but it is clear that is not possible.

Thanks again for your feedback.

------------------------------
Greg Collins
------------------------------

Original Message:
Sent: May 28, 2021 02:10:16 PM
From: Troy Fine
Subject: Requirements for having PCI data pass through your system

Hi Greg,

Can you have them remove the PCI data before you get the audio?  You are definitely in scope as a service provider since you will have access to PCI data.

This is really a liability for both you and your customer. Your customer shouldn't be giving you the PCI data if they don't need to and can remove it prior to giving it you.

Or is there a third party service that is PCI certified that you can use to scrub the data before sending it to you?  You would have to get your customer on board but will be cheaper and less burdensome for your organization to go this route.

Troy

------------------------------
Troy Fine
Schneider Downs
Schneider Downs

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Greg:

If it's not too late, one alternative could be running the tool(s) that remove the payment card info in the customer's environment that's already PCI-DSS compliant and then have it transferred to the SaaS app for processing.

------------------------------
Mosi Platt
------------------------------

Original Message:
Sent: May 30, 2021 11:01:42 PM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

Hi Troy, thanks for your comments.

Because we are not PCI certified the customer won't be giving us this data. I was hoping there was something I could do to mitigate the risk on both sides, but it is clear that is not possible.

Thanks again for your feedback.

------------------------------
Greg Collins

Original Message:
Sent: May 28, 2021 02:10:16 PM
From: Troy Fine
Subject: Requirements for having PCI data pass through your system

Hi Greg,

Can you have them remove the PCI data before you get the audio?  You are definitely in scope as a service provider since you will have access to PCI data.

This is really a liability for both you and your customer. Your customer shouldn't be giving you the PCI data if they don't need to and can remove it prior to giving it you.

Or is there a third party service that is PCI certified that you can use to scrub the data before sending it to you?  You would have to get your customer on board but will be cheaper and less burdensome for your organization to go this route.

Troy

------------------------------
Troy Fine
Schneider Downs
Schneider Downs

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

AWS and GCP have useful tools - maybe not 100% "off the shelf" but it should be relatively practical with one of the cloud tools or many other 3rd party tools:

voice to text redaction:
https://aws.amazon.com/blogs/aws/now-available-in-amazon-transcribe-automatic-redaction-of-personally-identifiable-information/

audio redaction:
https://docs.aws.amazon.com/connect/latest/adminguide/sensitive-data-redaction.html

image PII redaction:
https://aws.amazon.com/blogs/machine-learning/de-identify-medical-images-with-the-help-of-amazon-comprehend-medical-and-amazon-rekognition/

I'm sure this wasn't the answer you wanted from a "how to get this deal signed this quarter" view. But in case others stumble upon this thread.


------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: May 31, 2021 07:21:42 AM
From: Mosi Platt
Subject: Requirements for having PCI data pass through your system

Greg:

If it's not too late, one alternative could be running the tool(s) that remove the payment card info in the customer's environment that's already PCI-DSS compliant and then have it transferred to the SaaS app for processing.

------------------------------
Mosi Platt

Original Message:
Sent: May 30, 2021 11:01:42 PM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

Hi Troy, thanks for your comments.

Because we are not PCI certified the customer won't be giving us this data. I was hoping there was something I could do to mitigate the risk on both sides, but it is clear that is not possible.

Thanks again for your feedback.

------------------------------
Greg Collins

Original Message:
Sent: May 28, 2021 02:10:16 PM
From: Troy Fine
Subject: Requirements for having PCI data pass through your system

Hi Greg,

Can you have them remove the PCI data before you get the audio?  You are definitely in scope as a service provider since you will have access to PCI data.

This is really a liability for both you and your customer. Your customer shouldn't be giving you the PCI data if they don't need to and can remove it prior to giving it you.

Or is there a third party service that is PCI certified that you can use to scrub the data before sending it to you?  You would have to get your customer on board but will be cheaper and less burdensome for your organization to go this route.

Troy

------------------------------
Troy Fine
Schneider Downs
Schneider Downs

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Hi Greg,

You can use ZafePass VPC to get access to the clients PCI information. There are several options .. you can operate ZafePass VPC (there's no hardware) ... you can host it with a provider, your client can have a ZafePass VPC installation, or it can be placed in a public cloud ... depending on where the PCI data is. Once the ZafePass Gateway is pointed at the PCI info any user getting the agent for this specific setup ... will be the only one having access to only that resource. Feel free to contact me for any questions ... and feel free to dump my suggestion if not applicable - but if you want a secure (and I mean extremely secure) connectivity solution to any IT-resource, service, application or any data .. we got a nice way to do this. You can see more in the enclosed PDF.

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
+4593631300
------------------------------

Original Message:
Sent: Jun 01, 2021 06:26:38 AM
From: Robert Ficcaglia
Subject: Requirements for having PCI data pass through your system

AWS and GCP have useful tools - maybe not 100% "off the shelf" but it should be relatively practical with one of the cloud tools or many other 3rd party tools:

voice to text redaction:
https://aws.amazon.com/blogs/aws/now-available-in-amazon-transcribe-automatic-redaction-of-personally-identifiable-information/

audio redaction:
https://docs.aws.amazon.com/connect/latest/adminguide/sensitive-data-redaction.html

image PII redaction:
https://aws.amazon.com/blogs/machine-learning/de-identify-medical-images-with-the-help-of-amazon-comprehend-medical-and-amazon-rekognition/

I'm sure this wasn't the answer you wanted from a "how to get this deal signed this quarter" view. But in case others stumble upon this thread.


------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC

Original Message:
Sent: May 31, 2021 07:21:42 AM
From: Mosi Platt
Subject: Requirements for having PCI data pass through your system

Greg:

If it's not too late, one alternative could be running the tool(s) that remove the payment card info in the customer's environment that's already PCI-DSS compliant and then have it transferred to the SaaS app for processing.

------------------------------
Mosi Platt

Original Message:
Sent: May 30, 2021 11:01:42 PM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

Hi Troy, thanks for your comments.

Because we are not PCI certified the customer won't be giving us this data. I was hoping there was something I could do to mitigate the risk on both sides, but it is clear that is not possible.

Thanks again for your feedback.

------------------------------
Greg Collins

Original Message:
Sent: May 28, 2021 02:10:16 PM
From: Troy Fine
Subject: Requirements for having PCI data pass through your system

Hi Greg,

Can you have them remove the PCI data before you get the audio?  You are definitely in scope as a service provider since you will have access to PCI data.

This is really a liability for both you and your customer. Your customer shouldn't be giving you the PCI data if they don't need to and can remove it prior to giving it you.

Or is there a third party service that is PCI certified that you can use to scrub the data before sending it to you?  You would have to get your customer on board but will be cheaper and less burdensome for your organization to go this route.

Troy

------------------------------
Troy Fine
Schneider Downs
Schneider Downs

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

The way I am reading this is that the service you are providing is about the data analysis and the PCI data removal is just to avoid you storing it, not part of the service to your client.  If that's correct I'd make a couple of observations.   Your client is storing call data that includes card data.  That's not permitted under PCI DSS unless the data is encrypted.  If it is encrypted and they pass you encrypted card data and you have no way to decrypt it yourself then you are probably off the hook for PCI compliance.  on the other hand, If they are storing unencrypted card data then they need to deal with that themselves before bringing your service in.

------------------------------
steve hancock
Information security consultant
Acacia Infosec
------------------------------

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------

Assuming the whole audio file is encrypted at rest and in transit. But then when they transfer it to the downstream service provider, for it to be useful it must be unencrypted (presumably to be reencrypted under a new key by the recipient).  The sender of course could "partially encrypt" just the cardholder data embedded in the audio stream, though this is not likely an off the shelf tool (I haven't researched it), but I would argue just redact it.

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Jun 02, 2021 07:39:02 AM
From: steve hancock
Subject: Requirements for having PCI data pass through your system

The way I am reading this is that the service you are providing is about the data analysis and the PCI data removal is just to avoid you storing it, not part of the service to your client.  If that's correct I'd make a couple of observations.   Your client is storing call data that includes card data.  That's not permitted under PCI DSS unless the data is encrypted.  If it is encrypted and they pass you encrypted card data and you have no way to decrypt it yourself then you are probably off the hook for PCI compliance.  on the other hand, If they are storing unencrypted card data then they need to deal with that themselves before bringing your service in.

------------------------------
steve hancock
Information security consultant
Acacia Infosec

Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system

We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.

A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.

Is there another way to work with PCI Compliant companies without having to be certified yourself?


------------------------------
Greg Collins
CTO
------------------------------