Re: PCI & VOIP Soft Phones

[John Ladwig <John.Ladwig () SO MNSCU EDU>]

I'd expect that either using a VOIP softphone or an analog cardswipe with an ATA will bring your softswitch and voice 
vlans into scope.  P2PE may change that in the case of the cardswipe.

    -jml   *not a QSA*


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff 
Moore
Sent: Wednesday, May 23, 2012 5:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI & VOIP Soft Phones

Bob,

I can't think off hand how PCI compliance might be impacted by this but I would go for hardware. I managed our 
institutions move from TDM to VOIP and with the experience I have had with that project and working for Siemens IC for 
8 years(Manged most of Kaiser Permenente's Northwest phone systems including their main call center) I would say 
hardware phone. In my old fashioned opinion you just can't beat the reliability of hardware that is specifically 
engineered for a task. All those eggs in one basket would be a frightening prospect to me. Especially for a Call 
Center. Definitely more expensive but I would think well worth it. Could be the little guy on my right shoulder named 
"Old School Philosiphy"! He gets more and more bossy as I get older. We have had in smaller settings softphones working 
just fine here but Call Center.. I wouldnt. Also one nice thing about starting with a hardphone is you can always add 
softphones later and do pilot trials etc.

Hope that helps.

Compliancy wise as long as the softphone and the phone are on the same lan then I wouldnt think there would be any 
extra PCI issues.

Sorry for the lack of Knowledge on the PCI compliance. We offloaded our transaction servers years ago.

Jeff Moore
Chemeketa Community College


PS - Feel free to call if you want me to talk your ear off about our experiences as small and limited as they are. 
503-910-0756

jm

On Wed, May 23, 2012 at 2:30 PM, Bob Henry <bhenry () boisestate edu<mailto:bhenry () boisestate edu>> wrote:
We have a request to assist in setting up a call center that will
solicit contributions and accept payment with credit cards.  The group
wants to use soft phones on the PC's where they will be also be
entering CC information in order to spend less than it would cost for
hardware phones.  The PC's are clearly in-scope for PCI and my gut
says having the soft phone on the PC brings our VOIP system into scope
for PCI compliance which is a nightmare.  My strong recommendation is
for the group to use a hardware phone which is not on the CC VLAN.
Does anyone have any experience or wise words on the topic?

Thanks,

Bob

Robert Henry, CISSP
ISO & Director of Information Security Services
Acting Director, OIT Development Services
Boise State University
208-426-5701<tel:208-426-5701>
bhenry () boisestate edu<mailto:bhenry () boisestate edu>
http://oit.boisestate.edu/security



--
Jeff Moore
Desk (503) 877-4707<https://www.google.com/voice?pli=1#phones>
Cell (503) 9<https://www.google.com/voice?pli=1#phones>10-0756
Mail () JeffMoore com<mailto:Mail () JeffMoore com>