Educause Security Discussion mailing list archives
Re: PCI & VOIP Soft Phones
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 23 May 2012 18:52:10 -0400
I am hardly an expert here, but our QSA indicated that any CC information transmitted via IP is "In Scope". That included IP based credit card terminals, and even third party web based "Virtual Gateways", even though those web payment sites were hosted by a payment vendor. The key I took away from it all was if an employee in any way puts CC information into an IP stream, it's In Scope. Oddly, except if was via a Cellular IP Network with approved devices. We moved back to analog phone processing in offices to avoid the increasing complexity and confusion over PCI. For online payments, it's completely hosted by a third party, where the user and not an employee enters their CC information on non campus servers. Again, I am no expert. Please consult one! On 5/23/2012 5:30 PM, Bob Henry wrote:
We have a request to assist in setting up a call center that will solicit contributions and accept payment with credit cards. The group wants to use soft phones on the PC's where they will be also be entering CC information in order to spend less than it would cost for hardware phones. The PC's are clearly in-scope for PCI and my gut says having the soft phone on the PC brings our VOIP system into scope for PCI compliance which is a nightmare. My strong recommendation is for the group to use a hardware phone which is not on the CC VLAN. Does anyone have any experience or wise words on the topic? Thanks, Bob Robert Henry, CISSP ISO & Director of Information Security Services Acting Director, OIT Development Services Boise State University 208-426-5701 bhenry () boisestate edu http://oit.boisestate.edu/security
Current thread:
- PCI & VOIP Soft Phones Bob Henry (May 23)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)
- Re: PCI & VOIP Soft Phones John Ladwig (May 24)
- Re: PCI & VOIP Soft Phones Dave Koontz (May 23)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)
- Re: PCI & VOIP Soft Phones Davis, Thomas R (May 24)
- Re: PCI & VOIP Soft Phones Brad Judy (May 24)
- Re: PCI & VOIP Soft Phones Mike Leach (May 24)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)