Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI & VOIP Soft Phones

From: Jeff Moore <mail () JEFFMOORE COM>
Date: Wed, 23 May 2012 15:11:18 -0700
Bob,

I can't think off hand how PCI compliance might be impacted by this but I
would go for hardware. I managed our institutions move from TDM to VOIP and
with the experience I have had with that project and working for Siemens IC
for 8 years(Manged most of Kaiser Permenente's Northwest phone systems
including their main call center) I would say hardware phone. In my old
fashioned opinion you just can't beat the reliability of hardware that is
specifically engineered for a task. All those eggs in one basket would be a
frightening prospect to me. Especially for a Call Center. Definitely more
expensive but I would think well worth it. Could be the little guy on my
right shoulder named "Old School Philosiphy"! He gets more and more bossy
as I get older. We have had in smaller settings softphones working just
fine here but Call Center.. I wouldnt. Also one nice thing about starting
with a hardphone is you can always add softphones later and do pilot trials
etc.

Hope that helps.

Compliancy wise as long as the softphone and the phone are on the same lan
then I wouldnt think there would be any extra PCI issues.

Sorry for the lack of Knowledge on the PCI compliance. We offloaded our
transaction servers years ago.

Jeff Moore
Chemeketa Community College


PS - Feel free to call if you want me to talk your ear off about our
experiences as small and limited as they are. 503-910-0756

jm

On Wed, May 23, 2012 at 2:30 PM, Bob Henry <bhenry () boisestate edu> wrote:


We have a request to assist in setting up a call center that will
solicit contributions and accept payment with credit cards.  The group
wants to use soft phones on the PC's where they will be also be
entering CC information in order to spend less than it would cost for
hardware phones.  The PC's are clearly in-scope for PCI and my gut
says having the soft phone on the PC brings our VOIP system into scope
for PCI compliance which is a nightmare.  My strong recommendation is
for the group to use a hardware phone which is not on the CC VLAN.
Does anyone have any experience or wise words on the topic?

Thanks,

Bob

Robert Henry, CISSP
ISO & Director of Information Security Services
Acting Director, OIT Development Services
Boise State University
208-426-5701
bhenry () boisestate edu
http://oit.boisestate.edu/security





-- 
Jeff Moore
Desk (503) 877-4707 <https://www.google.com/voice?pli=1#phones>
Cell (503) 9 <https://www.google.com/voice?pli=1#phones>10-0756
Mail () JeffMoore com
Previous By Date Next
Previous By Thread Next

Current thread: