PCI and VOIP - Suggestions to limit scope?

Started by maurive1241, Sep 04, 2024, 04:39 PM

Previous topic - Next topic

maurive1241

We just replaced our digital phone system with a Cisco VOIP phone system.

My company has about 1000 phones across the organization. Only about 10-15 phones/users take down credit cards over the phone. We do NO phone recording.

Our computers/physical areas are already fully secured and compliant. However, the phones were a bit of an afterthought.

Do you guys have any suggestions on limiting scope? Based on the pdf: "Protecting Telephone-Based Payments Special Interest Group", the ideas that pop-out are:

    Convert 10-15 phones to a Cloud solution or Analog/POTS line. These phones would be in a firewalled network that can only talk to the cloud provider. The Cloud solution would need to be "PCI compliant". In this scenario, would the scope just be the 10-15 phones, the firewall, and the Cloud provider?

    Bring in the entire existing phone system into the CDE and harden everything.

    Spin up a new internal phone system just for these 10-15 phones that would be considered a part of the CDE

    Thanks in advance!

ClarkWillson

You're considering securing your phone system, especially for those handling credit card data. Isolating the 10-15 phones to a cloud solution or POTS line is a practical way to limit your scope while ensuring compliance. By firewalling these phones and providing the PCI-compliant cloud provider, you could reduce the scope to just those phones, the firewall, and the provider.

Abdelziz

Consider a few practical steps if you want to limit PCI scope with VOIP. First, segment your network. Keep your VOIP systems separate from any systems handling payment card data. This way, you reduce the areas that fall under PCI compliance. Another option is to use a third-party service to handle payments over the phone. They can keep the payment data off your network entirely. Also, consider using a phone number generator to mask customer data during calls. This could keep sensitive info out of your systems and limit your PCI scope even more.

donna1205

Ensure that any VoIP traffic involving cardholder data is encrypted from end to end, protecting sensitive Slope Unblocked information while it is being transmitted. Use strong encryption protocols such as TLS/SRTP for VoIP traffic to comply with PCI DSS requirements.

Quick Reply

Note: this post will not display until it has been approved by a moderator.

Name:
Email:
Verification:
Please leave this box empty:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:

Shortcuts: ALT+S post or ALT+P preview