Educause Security Discussion mailing list archives
Re: PCI & VOIP Soft Phones
From: Mike Leach <mjl9 () PSU EDU>
Date: Thu, 24 May 2012 09:36:11 -0400
Good morning Bob, The PCI Council document Tom shared is helpful in making determinations on how to secure your voice systems that have cardholder data. The interpretation we've received on whether VoIP systems are in-scope or out was: If the VoIP system is a replacement for an analog system, such that the spoken credit card number is the only means card holder data is transmitted, it can remain out of scope. If you start adding features like call recording, Computer Telephony Integration (data dips), etc. the VoIP system comes into scope. As others have said, consulting a QSA on this matter would be best. They will review the details specific to your deployment. Without knowing any more detail than you provided and based upon our experience and discussions with our QSA on similar topics, including a soft phone on the same terminal/network as the credit card processing would certainly bring elements of the VoIP system into scope. How much of the system would be in scope would depend upon your VoIP architecture. On the other hand if they want call center features on either a hard or soft VoIP phone that could bring your VoIP system into scope as well. If that is the case a separate hard phone may not buy you any savings in cost or compliance effort. Thank you, Mike Leach PCI Compliance Coordinator Security Operations and Services The Pennsylvania State University ITS-SOS Telephone: 814-863-9533 ITS-SOS E-Mail: security () psu edu Direct Line: 814-865-0740 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Henry Sent: Wednesday, May 23, 2012 5:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI & VOIP Soft Phones We have a request to assist in setting up a call center that will solicit contributions and accept payment with credit cards. The group wants to use soft phones on the PC's where they will be also be entering CC information in order to spend less than it would cost for hardware phones. The PC's are clearly in-scope for PCI and my gut says having the soft phone on the PC brings our VOIP system into scope for PCI compliance which is a nightmare. My strong recommendation is for the group to use a hardware phone which is not on the CC VLAN. Does anyone have any experience or wise words on the topic? Thanks, Bob Robert Henry, CISSP ISO & Director of Information Security Services Acting Director, OIT Development Services Boise State University 208-426-5701 bhenry () boisestate edu http://oit.boisestate.edu/security
Current thread:
- PCI & VOIP Soft Phones Bob Henry (May 23)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)
- Re: PCI & VOIP Soft Phones John Ladwig (May 24)
- Re: PCI & VOIP Soft Phones Dave Koontz (May 23)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)
- Re: PCI & VOIP Soft Phones Davis, Thomas R (May 24)
- Re: PCI & VOIP Soft Phones Brad Judy (May 24)
- Re: PCI & VOIP Soft Phones Mike Leach (May 24)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)