Re: PCI & VOIP Soft Phones

[Dave Koontz <dkoontz () MBC EDU>]

I am hardly an expert here, but our QSA indicated that any CC
information transmitted via IP is "In Scope".  That included IP based
credit card terminals, and even third party web based "Virtual
Gateways", even though those web payment sites were hosted by a payment
vendor.  The key I took away from it all was if an employee in any way
puts CC information into an IP stream, it's In Scope.  Oddly, except if
was via a Cellular IP Network with approved devices.  We moved back to
analog phone processing in offices to avoid the increasing complexity
and confusion over PCI.  For online payments, it's completely hosted by
a third party, where the user and not an employee enters their CC
information on non campus servers.

Again, I am no expert.  Please consult one!

On 5/23/2012 5:30 PM, Bob Henry wrote:
> We have a request to assist in setting up a call center that will
> solicit contributions and accept payment with credit cards.  The group
> wants to use soft phones on the PC's where they will be also be
> entering CC information in order to spend less than it would cost for
> hardware phones.  The PC's are clearly in-scope for PCI and my gut
> says having the soft phone on the PC brings our VOIP system into scope
> for PCI compliance which is a nightmare.  My strong recommendation is
> for the group to use a hardware phone which is not on the CC VLAN.
> Does anyone have any experience or wise words on the topic?
>
> Thanks,
>
> Bob
>
> Robert Henry, CISSP
> ISO & Director of Information Security Services
> Acting Director, OIT Development Services
> Boise State University
> 208-426-5701
> bhenry () boisestate edu
> http://oit.boisestate.edu/security