|
| 1 | +--- |
| 2 | +title: PCI Compliance |
| 3 | +subtitle: Ensure secure payment data handling while using Vapi’s voice assistant platform. |
| 4 | +slug: security-and-privacy/pci |
| 5 | +--- |
| 6 | + |
| 7 | + |
| 8 | +## Introduction to Security at Vapi |
| 9 | + |
| 10 | +At Vapi, we prioritize the security of your data without compromising the quality of our voice assistant services. Protecting sensitive information, especially financial data, is at the core of our mission. |
| 11 | + |
| 12 | +Our robust security policies and practices ensure you have complete control over your data while accessing all the capabilities of our platform. |
| 13 | + |
| 14 | +## Understanding PCI Compliance |
| 15 | + |
| 16 | +The Payment Card Industry Data Security Standard (PCI DSS) is a global framework designed to protect credit card information. Any organization processing, storing, or transmitting cardholder data must comply with PCI DSS to ensure that sensitive financial data is securely handled. |
| 17 | +Key requirements for PCI compliance include: |
| 18 | + |
| 19 | +- Securing data collection, transmission, and storage. |
| 20 | +- Implementing strong access control measures. |
| 21 | +- Regularly monitoring and testing systems to prevent breaches. |
| 22 | + |
| 23 | +## PCI Compliance on Vapi’s Platform |
| 24 | + |
| 25 | +By default, Vapi enables call recording, logging, and transcription features to enhance service quality. However, handling sensitive payment card data requires additional precautions. |
| 26 | + |
| 27 | +### How We Ensure Security |
| 28 | + |
| 29 | +When PCI compliance is enabled: |
| 30 | + |
| 31 | +- **Cloud Storage and Webhooks**: You can choose to store recordings in a PCI DSS Level 1 compliant cloud storage solution (AWS S3, Azure Blob Storage, Google Cloud Storage or Cloudflare R2) and receive transcripts through your webhook. |
| 32 | + |
| 33 | +- **No Retention Without Configuration**: If no cloud storage or webhook is specified, recordings and transcripts are permanently deleted to avoid retaining sensitive data. |
| 34 | + |
| 35 | + |
| 36 | +## How to Enable PCI Compliance |
| 37 | +If your organization handles payment data, you can enable PCI compliance by updating your assistant’s configuration. |
| 38 | + |
| 39 | +#### Configuration Steps: |
| 40 | +1. Log in to your Vapi account and navigate to your assistant’s settings. |
| 41 | +2. Enable the PCI Compliance toggle. |
| 42 | +3. Select the PCI-compliant Model, Voice, and Transcriber options for your assistant. |
| 43 | +4. [Optional] Configure cloud storage credentials for storing call recordings. If you have any of the storage endpoint credentials, they will be used to push the recordings. |
| 44 | +5. [Optional] Set up **webhooks** for receiving transcriptions. |
| 45 | + |
| 46 | + |
| 47 | +<Warning> |
| 48 | +If either cloud storage or webhook is not configured, the respective data will not be stored and cannot be retrieved. |
| 49 | +</Warning> |
| 50 | + |
| 51 | +Example configuration for `PCI compliant` assistant is: |
| 52 | +```JSON |
| 53 | +{ |
| 54 | + "compliancePlan": { |
| 55 | + "pciEnabled": true |
| 56 | + } |
| 57 | +} |
| 58 | +``` |
| 59 | +Note: The default value for `compliancePlan.pciEnabled` is false. Activating this setting aligns your assistant with PCI DSS standards by ensuring data is securely transmitted without being stored on Vapi’s systems. |
| 60 | + |
| 61 | +## Can PCI be used alongside HIPAA? |
| 62 | +Yes, you can enable both HIPAA and PCI compliance for an assistant. In this case, the restrictions from both compliances will apply, meaning that no recordings or transcripts will be stored or transmitted, even if you have specified cloud storage endpoints or webhooks for storing transcripts. |
| 63 | + |
| 64 | +## FAQs |
| 65 | + |
| 66 | +**Q: Will enabling PCI compliance affect the quality of Vapi’s service?** |
| 67 | + |
| 68 | +A: Enabling PCI compliance does not degrade the quality of the voice assistant services. |
| 69 | +However, it restricts you to use only the PCI-compliant endpoints, while limiting access to certain features, such as reviewing call logs, recordings or transcriptions, within the Vapi platform. |
| 70 | +If any cloud storage endpoints are provided, you can review the audio recordings in your own storage environment. The recordings follow the naming convention: |
| 71 | + |
| 72 | +``` |
| 73 | +<call_UUID>-<timestamp>-<generated_UUID>-<audio_type>.wav |
| 74 | +``` |
| 75 | + |
| 76 | +**Q: Who should use the PCI compliance feature?** |
| 77 | + |
| 78 | +A: This feature is particularly useful for businesses and organizations that handle sensitive payment information and must comply with PCI regulations. |
| 79 | + |
| 80 | +**Q: Can I switch between default and PCI-compliant settings?** |
| 81 | + |
| 82 | +A: Yes, users can toggle the `pciEnabled` setting as needed. However, we recommend carefully considering the implications of each option on your data security and compliance requirements. |
| 83 | + |
| 84 | +## Need Further Assistance? |
| 85 | + |
| 86 | +If you have more questions about security, privacy, PCI compliance, or how to configure your Vapi assistant, our support team is here to help. Contact us at [email protected] for personalized assistance and more information on how to make the most of Vapi’s voice assistant platform while ensuring your data remains protected. |
0 commit comments