Post reply

The message has the following error or errors that must be corrected before continuing:
Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.
Note: this post will not display until it has been approved by a moderator.
Attachments: (Clear attachments)
Restrictions: 20 per post (20 remaining), maximum total size 24.00 MB, maximum individual size 24.00 MB
Uncheck the attachments you no longer want attached
Click or drag files here to attach them.
(Clear attachments)
Other options
Verification:
Please leave this box empty:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:

Shortcuts: ALT+S post or ALT+P preview

Topic summary

Posted by Rorry222
 - Dec 02, 2024, 08:55 PM
You better consider using temp phone numbers to make things work, it's a great solution.
Posted by donna1205
 - Sep 19, 2024, 10:31 AM
Ensure that any VoIP traffic involving cardholder data is encrypted from end to end, protecting sensitive Slope Unblocked information while it is being transmitted. Use strong encryption protocols such as TLS/SRTP for VoIP traffic to comply with PCI DSS requirements.
Posted by Abdelziz
 - Sep 04, 2024, 05:08 PM
Consider a few practical steps if you want to limit PCI scope with VOIP. First, segment your network. Keep your VOIP systems separate from any systems handling payment card data. This way, you reduce the areas that fall under PCI compliance. Another option is to use a third-party service to handle payments over the phone. They can keep the payment data off your network entirely. Also, consider using a phone number generator to mask customer data during calls. This could keep sensitive info out of your systems and limit your PCI scope even more.
Posted by ClarkWillson
 - Sep 04, 2024, 04:54 PM
You're considering securing your phone system, especially for those handling credit card data. Isolating the 10-15 phones to a cloud solution or POTS line is a practical way to limit your scope while ensuring compliance. By firewalling these phones and providing the PCI-compliant cloud provider, you could reduce the scope to just those phones, the firewall, and the provider.
Posted by maurive1241
 - Sep 04, 2024, 04:39 PM
We just replaced our digital phone system with a Cisco VOIP phone system.

My company has about 1000 phones across the organization. Only about 10-15 phones/users take down credit cards over the phone. We do NO phone recording.

Our computers/physical areas are already fully secured and compliant. However, the phones were a bit of an afterthought.

Do you guys have any suggestions on limiting scope? Based on the pdf: "Protecting Telephone-Based Payments Special Interest Group", the ideas that pop-out are:

    Convert 10-15 phones to a Cloud solution or Analog/POTS line. These phones would be in a firewalled network that can only talk to the cloud provider. The Cloud solution would need to be "PCI compliant". In this scenario, would the scope just be the 10-15 phones, the firewall, and the Cloud provider?

    Bring in the entire existing phone system into the CDE and harden everything.

    Spin up a new internal phone system just for these 10-15 phones that would be considered a part of the CDE

    Thanks in advance!