Gong is committed to respecting the security of you and your customer’s information, including electronic cardholder data. Gong The Reality Platform ® is not intended nor does it store any credit card information. Gong does have the ability to handle payment card information in transit that is compliant with PCI DSS (Payment Card Industry Data Security Standard) for accepting, processing, storing, or transmitting payment card information. By adhering to these standards, an organization enforces the security of credit, debit, and cash card transactions and protects cardholders against fraud or other misuses of their personal information.
What is PCI DSS?
PCI DSS is a information security standard for organizations that handle payment card information. Credit card payment brands require adherence to the PCI DSS standard for any entity that processes, transmits, or stores cardholder data. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually.
How has Gong’s PCI DSS compliance been validated?
Gong’s PCI DSS compliance includes the completion of the SAQ-D questionnaire and external validation by a Qualified Security Assessor (QSA). Gong’s PCI DSS environment is limited in scope and does not cover the entire Gong platform. Gong’s current PCI DSS compliance only applies to the mechanisms that ingest calls from external telephony systems.
What features are PCI DSS-compliant?
The PCI DSS compliant environment includes Gong’s application integrations with telephony systems only, initial storage of these calls, and processing intended to redact all payment card information from these calls i a non-recoverable manner. The QSA’s scope consisted of Gong’s API servers, call analyzer processors, the ability to identify and redact PCI-related data, and the temporary storage of calls before the sensitive data is redacted. What is not in scope of Gong’s PCI DSS compliance are web recorders’ calls or videos and other types of data (e.g. email). Gong The Reality Platform® is not intended to store payment card information.
What are my responsibilities for using Gong in a PCI DSS-compliant manner?
The customer’s responsibility is to define the redaction rules for calls being uploaded from telephony systems to the Gong application. This can be done easily in the DATA PROTECTION & PRIVACY settings by defining the minimum sequence of digits that should be redacted. Once this is defined, all future calls will have these settings applied both on the audio files as well as on the call transcripts. Gong will only redact data based on the redaction settings the customer has defined. The customer still has the ability to delete recordings or telephony uploads. It is the customer’s responsibility to adhere to Gong’s stated PCI DSS scope.