At Plum Voice, we take performance and security seriously. That is why we’re committed to continuously updating our products; to ensure that you always have the best technology to work with. We also continually evaluate our platform to determine if it makes sense to expand our security portfolio and add new standards.
These periodic updates provide an opportunity to double-check security settings in your Plum apps. Plum’s platform is always PCI-DSS and HIPAA compliant, but it’s equally important for customers to ensure that the apps they build and manage on our platform are also compliant with these standards. Both the platform (our responsibility) and any apps (customer responsibility) need to be set up properly to ensure an end-to-end secure and compliant data transfer.
For more information about customer responsibility with regard to using Plum's platform, see Requirement 3 of the following document:
Customer Responsibility Matrix
Secure IVR Basics
Whitelisting IP Addresses
All data requests from Plum originate from static IP subnets. Customers that utilize whitelisting need to ensure that these IP subnets are whitelisted so that our requests can reach you.
Plum will also need to whitelist all IPs and/or fully-qualified domain names used by your application on our side in order to grant you access.
The data flow process originates when the caller inputs information. The data travels across the public switched telephone network and is captured by the IVR. After capturing this data and at some point before the call disconnects, the IVR establishes a connection to the customer’s database/payment processor/business logic, etc. through a secure HTTP web service.
Once that information is transmitted to the customer and the call ends, that caller’s information is deleted from the IVR application’s memory.
There are two important points to keep in mind about this data flow.
Plum customers must have a secure HTTP connection (HTTPS) to ensure that a secure, encrypted connection exists between the two systems for the data transfer. Plum's firewalls will deny any non-HTTPS requests that come out of our PCI environment.
Plum Voice does not, under any circumstance, save or store caller financial data. We only capture caller information and transmit it to customers.
Once a Plum IVR application hands off encrypted data to a customer, it is up to that customer to ensure that the remaining work flow on their end is PCI-compliant.
Secure Phone Numbers
Phone numbers connected to secure IVR applications require additional backend configuration. For more information, see Managing Secure Phone Numbers.
Customers cannot use Plum's PCI-environment for testing or QA purposes.
IVR Security Guide
The following guide is primarily intended for Do It Yourself (DIY) customers, but the information is relevant to all secure applications.
'Private' Tags - This covers how to set your application to securely collect caller information and how to use call logs to verify that your app is functioning properly.
Sensitive Data Types - This provides information on the types of data that customers should mark as private.
Although this section tends to reference PCI-compliance, at Plum, PCI is commonly used as a catch-all term to refer to any customer security needs.The same protocols apply to customers who require HIPAA, SOC2, or any other security standard.
Customers should check with their own compliance auditors to ensure that they protect the correct data, regardless of which standard(s) they require.