Re: PCI & VOIP Soft Phones

[Mike Leach <mjl9 () PSU EDU>]

Good morning Bob,

The PCI Council document Tom shared is helpful in making determinations on
how to secure your voice systems that have cardholder data. The
interpretation we've received on whether VoIP systems are in-scope or out
was: If the VoIP system is a replacement for an analog system, such that
the spoken credit card number is the only means card holder data is
transmitted, it can remain out of scope. If you start adding features like
call recording, Computer Telephony Integration (data dips), etc. the VoIP
system comes into scope.

As others have said, consulting a QSA on this matter would be best. They
will review the details specific to your deployment.  Without knowing any
more detail than you provided and based upon our experience and
discussions with our QSA on similar topics, including a soft phone on the
same terminal/network as the credit card processing would certainly bring
elements of the VoIP system into scope. How much of the system would be in
scope would depend upon your VoIP architecture. 

On the other hand if they want call center features on either a hard or
soft VoIP phone that could bring your VoIP system into scope as well. If
that is the case a separate hard phone may not buy you any savings in cost
or compliance effort.
  

Thank you,

Mike Leach
PCI Compliance Coordinator
Security Operations and Services
The Pennsylvania State University
ITS-SOS Telephone: 814-863-9533
ITS-SOS E-Mail: security () psu edu 
Direct Line: 814-865-0740

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Henry
Sent: Wednesday, May 23, 2012 5:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI & VOIP Soft Phones

We have a request to assist in setting up a call center that will solicit
contributions and accept payment with credit cards.  The group wants to
use soft phones on the PC's where they will be also be entering CC
information in order to spend less than it would cost for hardware phones.
The PC's are clearly in-scope for PCI and my gut says having the soft
phone on the PC brings our VOIP system into scope for PCI compliance which
is a nightmare.  My strong recommendation is for the group to use a
hardware phone which is not on the CC VLAN.
Does anyone have any experience or wise words on the topic?

Thanks,

Bob

Robert Henry, CISSP
ISO & Director of Information Security Services Acting Director, OIT
Development Services Boise State University
208-426-5701
bhenry () boisestate edu
http://oit.boisestate.edu/security