I am exhausted trying to get a straight answer out of the documentation. We are currently undergoing a PCI-DSS compliance audit. For voice interactions, we use Secure Pause so agents can halt the recording when a customer reads a credit card number. But we just deployed Web Messaging, and agents are telling customers to type their credit card numbers into the chat. The numbers are saving directly into the digital transcript in plain text! There is no Secure Pause button for web messaging in the workspace. How are we supposed to remain compliant if the platform does not redact this natively? We have tried adding custom regex rules, but they are incredibly inconsistent.
I completely understand your frustration regarding PCI compliance. It is a very complex topic! The primary reason you do not see a Secure Pause button for asynchronous digital channels is because the interaction data is processed differently than a continuous audio stream. However, there is a built-in solution for this.
Genesys Cloud offers the PCI DSS compliance feature specifically for text channels through the ‘Data Redaction’ capability. You need to navigate to Account Settings and ensure that text redaction is enabled globally.
This will automatically replace standard credit card patterns with asterisks before the data is committed to the database. It is much more reliable than trying to build custom regular expressions yourself!
Yes, the data redaction feature is the correct way. In our BPO with many agents, we process thousands of chats. Before we enabled this, the quality teams could see the credit cards in the historical transcripts.
But you must also remember that the redaction happens at the edge. The agent who is currently chatting will still see the number on their screen for a short time, but the supervisor looking at the historical transcript will only see the asterisks.
It does not pause the live interaction like voice does, but it secures the stored data for the audit.
Just a quick heads up if you are building bots or flows in front of your web messaging. If you have an Architect Inbound Message Flow that asks for the card number before routing to an agent, you want to use the ‘Secure Data’ toggle on your bot slots or Architect string variables. I build these flows for tons of clients.
If you do not mark the variable as secure in the Architect flow, it might still leak into your flow execution logs even if the global text redaction is turned on. Always check the box for secure variables in Architect to be totally safe.