Other Regulations

Payment Card Industry (PCI)

Every year, an Internal Security Assessor (ISA) assesses the CXone cloud-based contact center solution. The assessment checks CXone compliance with the Payment Card Industry Data Security Standard (PCI DSS). It is currently based on PCI DSS 3.2. Business units can communicate requirements to their PCI assessors. Doing so removes the need to run the same test twice, making PCI certification easier.

CXone tests against PCI DSS controls. We currently test for the previous full year. NICE offers the following to business units with their contract:

• An Attestation of Compliance (AOC).

• A PCI Responsibility Matrix.

We offer the same to prospective business units with a non-disclosure agreement (NDA).

FedRAMP

NICE is authorized to sell in the Federal Risk and Authorization Management Program (FedRAMP) market space. We are allowed via an Authorization to Operate (ATO). Our FedRAMP environment meets the stringent risk management requirements of US federal agencies.

NICE works to mitigate the risks to business unit data. We also work to increase the security and safety of the data in our FedRAMP environment. With our ATO, federal agencies can integrate our software. With our software, they can take advantage of previously unavailable cloud benefits.

Service Organization Controls 2 (SOC 2)

NICE tests against the SOC from the AICPA SOC reporting framework. We issue an AT 101 SOC 2 report (SOC 2 Type II). We test for the previous full year. NICE performs these tests on a schedule appropriate to data expiration. There may be a gap between the expiration and the issuing of the next report. If so, then a bridge letter is made available tobusiness units.