PCI & VOIP Soft Phones

[Bob Henry <bhenry () BOISESTATE EDU>]

We have a request to assist in setting up a call center that will
solicit contributions and accept payment with credit cards.  The group
wants to use soft phones on the PC's where they will be also be
entering CC information in order to spend less than it would cost for
hardware phones.  The PC's are clearly in-scope for PCI and my gut
says having the soft phone on the PC brings our VOIP system into scope
for PCI compliance which is a nightmare.  My strong recommendation is
for the group to use a hardware phone which is not on the CC VLAN.
Does anyone have any experience or wise words on the topic?

Thanks,

Bob

Robert Henry, CISSP
ISO & Director of Information Security Services
Acting Director, OIT Development Services
Boise State University
208-426-5701
bhenry () boisestate edu
http://oit.boisestate.edu/security