1. Securing B2C Service
  2. Chat Security in PCI and HIPAA Deployments

Chat Security in PCI and HIPAA Deployments

For customers planning to interact with end-users through B2C Chat, there are several security factors to consider.

When B2C Chat is purchased with B2C Service, it can be covered by the Oracle PCI Certified Cloud and/or the HIPAA Cloud Service. If purchased standalone, the ability of the service to meet requirements will depend on how it is deployed and which other products it is deployed with. The standalone implementation is not covered in this document.

When deploying Chat in conjunction with B2C Service in our PCI environment, data masking occurs automatically within the chat conversation. In other words, when an agent and end-user are interacting, PAN or SSN data typed by the end user will be redacted when displayed for the customer’s agent. The reverse direction is also true.

To prevent capturing PAN or any PII in an incident, customers can instruct their agents to inform end-users to use the Off the Record button while in a Chat conversation. This enables an end-user to send unrecorded messages that will not be saved in any location. The only indication there was off-the-record communication is an entry within the chat transcript or the incident thread saying username: Message Removed.

Chat customers have a Sneak Preview feature. This allows customer agents to preview what the end user is typing before the end user presses Enter and could display data for the agent that should have been redacted. This feature is disabled by default. We recommend that you use this feature in accordance with your own privacy and internal security requirements and policies.

If you have purchased the Engagement Engine, Video Chat or B2C Co-browse offerings that integrate with Chat, or have Oracle Messaging enabled to integrate with Chat, be aware these products have not been audited for use with B2C Service in a restricted environment. While these products do not process or store data, there are situations where your agents could view your customer’s protected data. Therefore, you will need to put additional controls in place to protect this from occurring. Using Standalone Cobrowse describes methods for helping you protect customer data that is not covered in this document.