Adjusting Security Control Settings for PCI Compliance

The AVOXI online platform provides a multitude of ways to customize the global communications experience for organizations of any size. AVOXI now supports several ways to better secure the business an organization conducts. While these settings may make logging in or staying logged in more difficult, they will also make it much easier to protect against unverified access to sensitive information.  


Use the below quick links to learn more about PCI-DSS Compliance and how to comply.

How is my organization at risk?

Consider users that have access to call recordings. These recordings could contain personal information such as credit cards, home addresses, and other information callers would assume to be private. Hardening an organization with the AVOXI's Security Features will ensure customers’ information is kept as safe as possible.  


For those organizations that handle payment card transactions, AVOXI has also ensured that achieving PCI-DSS Compliance is simple and easy for its users.

What is PCI-DSS Compliance?

Payment Card Industry Data Security Standard Compliance is a set of standards to be implemented by a software platform to better secure the usage of credit card payments.

What can be gained through PCI Compliance? 

While implementing PCI compliance could complicate typical workflows, it will also create several benefits, including data protection and increased security with AVOXI. 


Delete
Please note, organizations handling credit card information should follow the security best practices, laid out by the Payment Card Industry (PCI) Security Standards Council Policy  PCI DSS 4.0 in which suggests: 
  • A 15-minute sessions timeout (section 8.1.8), 
  • That passwords must be rotated every 90 days (section 8.2.4) if not using Multi-Factor Authentication, and
  • Users should not be able to reuse the last 4 passwords (section 8.2.5).

Configuration Instructions

As an AVOXI Administrators, you can review and update the security control settings for your organization via the Company Settings Menu.  Use the below instructions to review and update your security settings to ensure you meet PCI requirements as laid out in PCI DSS version 4.0.

  • To get started ensure you are logged into the AVOXI Online Portal as an Administrator.  
  • Select the account avatar in the top right-hand corner and then select "Company Settings".
  • On the "Settings" tab use the toggle button to enable/disable your Security Controls.

Inactivity Timeout

Activity refers to interacting with or having an active call on any open tab of the AVOXI online portal where a user is logged in.

  • When enable the session's inactivity limit to ensure inactive users are automatically signed out once the configured threshold is reached.
  • The minimum amount of time for inactivity is 15 minutes and the maximum is 12 hours.  
  • When a user is signed out due to inactivity, they will receive a message informing them they were logged out due to inactivity and redirect to the login page.
  • NOTE:  As this is not mandatory the default setting is "Disabled" and can be enabled/disabled at any time using the toggle button. If this setting is disabled then it will default to our standard token expiry time of 12 hours.

Password Rotation

  • Once enabled, users must reset their password when the configured threshold is reached.
  • The allowed range can be set anywhere between every 30 to 365 days. 
  • Once the threshold has been reached, uses will be prompted to update their password.
  • NOTE:  As this is not mandatory the default setting is "Disabled" and can be enabled/disabled at any time using the toggle button.

Minimum Password Age

  • When enabled, user passwords must reach the configured age in order to be changed.  
  • The allowed range is between 0 minutes to 24 hours.
  • Any attempt by a user/admin to change the password before the specified time will be denied.
  • NOTE:  As this is not mandatory the default setting is "Disabled" and can be enabled/disabled at any time using the toggle button.

Password Reuse Limit

  • If enabled, users will not be able to reuse old passwords up to the configured reuse limit.  
  • The allowed range is between 1 - 10 passwords, with the default being set to 1 password saved per user.
  • If a user attempts to use an old password, they will be given a warning and the attempt will be denied.

Bad Login Lockout

  • If a user enters an incorrect password six consecutive times, the account will automatically be locked, preventing the user from accessing the AVOXI online portal for 30 minutes.
  • A successful login will reset this counter (if the user is correct on attempt five, they will be logged in and the counter will reset to zero).
  • Administrators have the ability to unlock/lock individual or multiple accounts simultaneously by clicking on the lock icon located on the "User" page.  
  • Accounts are automatically unlocked after 30 minutes and the count will reset to zero.
  • Please note that the password reset process will work while an account is locked out.


Encrypted SIP

For PCI compliance you must use Encrypted SIP with Encrypted RTP on all SIP URIs and SIP Trunks.  To learn more about how to enable this feature, please follow this link.  These features are only available as part of the Premium Support package, please contact your Account Manager for more details if you do not currently have this package.

Additional Steps to Mitigate Risk

  • Users can pause recording while on a call to prevent sensitive information (such as credit card information) from being recorded or delete the recording later.
  • Consider your organization’s needs and risks. If your organization handles a lot of sensitive information, it might make more sense to increase security by decreasing inactivity time or forcing shorter cycles for password rotation.
  • Research other security standards, such as HIPAASOC2, and ISO2700x, to see if there are other ways to harden your organization.


Learn more about AVOXI's secure international network, protecting your customers' data, and other regulatory requirements in our 6 Ways to Strengthen Business Communication Security article.


Give feedback about this article

Was this article helpful?

Have more questions? Submit a request

Updated:

September 11th, 2024

Author:

Louise Ross

Updated By:

Jason Simpson

KB ID:

1075291

Page Views:

4556

Tags:

pci compliance, security control, pci, credit card, pause recording, payment, compliance, security

Can’t find what you’re looking for?

Contact our award-winning customer care team.