HI Team,
When using secure call flow along with bot flow, must we use secure variable in bot flow for sensitive data to meet compliance?
Before voice bot flow comes along, we have been using secure call flow to collect sensitive data to run data actions without additional encryption (which came out this year).
-
Since recording do not happen within secure call, any "Flow." variables are not stored/saved/logged on the platform as long as we don't set them as participant data/external tag. Can you please confirm if this is accurate?
-
Now that we have voice bot which is PCI-DSS compliant, does "Slot." behaves the same way as "Flow."? We are not going to use any intent (the main purpose of this bot flow is for 'Ask for Slot' action), so there is no "utterances history" displayed within the bot flow to expose the collect information via speech. However, we are not sure if "Slot." is exposed/logged on the backend of the platform, given that it's essentially speech utterances. Can you please confirm?
-
With secure data variable in bot flow, we cannot do any advanced data validation other than without extracting the data variable into another variable. If we extract it then it seems to defeat the purpose of securing it in the first place. Is secure data variable is designed to 'mask' the utterances only? So if this is true, this leads back to question no.2 above - whether the utterances for 'Ask for Slot' without "Intent" setup are being captured in plain text on the platform.
Our current design is to send the call from inbound call flow > Secure call flow > Bot flow > back into Secure call flow. The bot flow is only to collect user's input via 'speech'. The output of the slot will be used for extensive logical checks using "Flow." before we submit it to third party.
This will not work if secured data variable must be used in bot flow as they can't be used as output, and we will not be able to do any data validation in bot flow like what we are doing in Secure call flow today.
Can someone please confirm if the approach in bold above still meet the PCI compliance?
Thanks,
MJ