I see on the outbound Queue documentation, is_pci parameter. Does this mean I can send PCI directly in the body of the API and remain PCI/HIPAA compliant e.g. the data is encrypted in transit and at rest? Presumably this would differ from uploading a file where the Documentation explicitly states this is not PCI/HIPAA compliant to include PII/PHI in the file upload to queue calls?

Hi,

Unfortunately, no, that is not the purpose of the is_pci flag. This flag only determines which pool of systems will be used to execute your application once the call begins. In order to guarantee PCI compliance, you should only send non-PI/PII data to the outbound APIs. The data that is sent to these APIs is NOT in scope for PCI.

After the call begins, your application will be executing in the PCI environment and any data that is then exchanged between our systems and your application servers is in scope for PCI. This gives you full control over the logging of private data and allows you to make sure all data is transmitted using the proper encryption techniques.

Please let us know if you have any further questions.

Regards,
Plum Support