Running into a critical blocker during the SOC2 Type II audit. We have a flow using the Record block to capture cardholder data for verification before redirecting. Flow version 145 on AWS US-East-1. The issue is that flow execution logs are persisting the raw input captured by GetDigits even though we added a Data Action to mask it. Audit team flagged this as PII exposure in logs which violates PCI-DSS requirement 3.2. We cannot proceed with certification without fixing this. Has anyone configured masking at the log level specifically? The expression Replace(digits, 'x', '') is not working as expected.
Checked the source for the analytics module in the Python SDK repo last week. The masking logic happens on the payload sent to the backend, not necessarily the execution log cache. You need to use a custom expression in the Data Action before the flow writes to logs. Try wrapping the GetDigits output like this: Replace(GetDigits, '[0-9]', 'x'). Also check the Flow Execution Log settings under Organization > Preferences > Analytics. There is a toggle for sensitive data masking that defaults to false. If you are using the Genesys Cloud SDK v12.5, verify the logging level is set to WARN instead of DEBUG.
This impacts the migration timeline for the PureConnect replacement project. We need to validate the masking configuration before moving production traffic. Recommend pausing the audit review until the flow patch is deployed. Estimated risk is high if logs remain unmasked. Need approval from security team to test in staging first.