TL;DR:

• Zoom is not designed to handle PCI data and should not be used for storing, processing, or transmitting payment card information.
• Risks of PCI data leaks from Zoom can arise from unauthorized access or compromised account credentials.
• PCI DSS 4.0 introduces new requirements for protecting PCI data in Zoom, including preventing unauthorized copying of PAN and ensuring incident response plans for data leaks.
• Organizations using Zoom should adopt security measures like encryption, access control, and regular audits to prevent data leaks.

Can you store PCI Data in Zoom?

Zoom, primarily known as a video conferencing platform, does not typically handle payment card information directly as part of its core functionalities. However, businesses might use Zoom for activities that involve discussing or showing payment card information.

It's crucial to note that Zoom itself is not designed as a payment system and should not be used to store, process, or transmit payment card data. Companies using Zoom must ensure they employ additional security measures to protect any sensitive data shared over the platform.

Can PCI Data be Leaked from Zoom?

PCI data can be leaked from any platform if proper security measures are not in place. In the case of Zoom, risks could arise from unauthorized access during meetings or through compromised account credentials.

Although Zoom has implemented robust security features, such as end-to-end encryption and password-protected meetings, the potential for human error or security oversights can still lead to data exposure. It's essential for users to adopt strong security practices, like using secure passwords, enabling two-factor authentication, and regularly updating the software.

What are the New PCI 4.0 Requirements for PCI Data in Zoom?

PCI DSS 4.0 introduces rigorous requirements that are particularly pertinent to the use of platforms like Zoom for discussions involving payment card information.

Below are the essential updates and their implications for Zoom users:

1. No Unauthorized Copy/Relocation of PAN

Under Requirement 3.4.2, it is critical to protect the Primary Account Number (PAN) from unauthorized copying or relocation.

In the context of Zoom, this translates to ensuring that PANs are not improperly displayed or shared during video conferences. Users must have explicit authorization and a legitimate business need to share any payment information over the platform.

2. PAN Must Be Unreadable

Requirement 3.5.1.1 mandates that PAN be rendered unreadable in storage. For Zoom users, this means any recordings or notes from meetings where PANs might be discussed should be encrypted and securely stored.

Key management processes should be robust and compliant with PCI DSS Requirements 3.6 and 3.7 to further safeguard data.

3. Incident Response for PAN Data Leaks

Requirement 12.10.7 requires proactive incident response plans in place for detecting and managing PAN data leaks. Zoom users must ensure they can quickly respond to any incident where payment card information might be exposed, which includes immediate data retrieval and secure deletion or relocation.

4. Protecting Payment Information on Zoom

To minimize risks, organizations should avoid any unnecessary sharing of cardholder data over Zoom. If absolutely necessary, measures should include:

• Ensuring all shared information is encrypted and access-controlled.
• Regular audits of security practices surrounding Zoom meetings.
• Training all users on data protection best practices to prevent unauthorized access or data leaks.

Organizations using Zoom must critically assess their use of the platform to ensure it aligns with the stringent demands of PCI DSS 4.0, focusing on preventing unauthorized data sharing and ensuring rapid incident response.

How Can Strac Prevent Data Leaks from Zoom?

Strac's SaaS/Cloud DLP and Endpoint DLP solution helps with its modern features:

• Built-In & Custom Detectors: Strac supports all sensitive data elements detectors for PCI, HIPAA, GDPR, and any confidential data. Strac also supports customization where customers can configure their own data elements. Strac is the only DLP on the market that does detection and redaction of images and also deep content inspection on document formats like pdf, word docs (doc, docx, xlsx (spreadsheets), zip files. Check out Strac’s full catalog of sensitive data elements.
• Ease of integration: In under 10 minutes, customers integrate with Strac and instantly see DLP/live scanning/live redaction on their SaaS apps.
• Accurate Detection and Redaction: Strac's custom machine learning models trained on sensitive PII, PHI, PCI, and confidential data provide high accuracy and low false positives and false negatives.
• Rich and Extensive SaaS Integrations: Strac has the widest and deepest number of SaaS and Cloud integrations. Check out Strac's complete range of DLP integrations here.
• AI Integration: In addition to all SaaS, Cloud and Endpoint integration, Strac integrates with LLM APIs and AI Websites like ChatGPT, Google Bard, Microsoft Copilot and more. Check out how they are used to protect their AI or LLM apps and also to safeguard their sensitive data with Strac's Developer Documentation.
• Endpoint DLP: Strac is the only accurate and comprehensive DLP that works for SaaS, Cloud and Endpoint.
• Inline Redaction: Strac can redact (mask or blur) sensitive text within any attachment.
• Customizable Configurations: Strac provides out-of-the-box Compliance templates with all sensitive data elements to detect/redact, plus flexible configurations to cater to specific business needs, ensuring that data protection measures align with individual requirements.

Strac ensures ongoing PCI compliance with Zoom with the Zoom integration.

Book a free 30-minute demo to learn more about how Strac can enhance the security of your Zoom meetings and other SaaS platforms.