Educause Security Discussion mailing list archives
Re: PCI & VOIP Soft Phones
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Thu, 24 May 2012 07:58:37 -0600
Some of the most relevant items in this document for this point are on page nine: "Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used." "Requiring agents to use analog telephone lines when a VoIP telephone system does not provide strong cryptography," In short, they consider VOIP like any other network communication, the data must be encrypted when going over "public or open" networks. Brad Judy -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis, Thomas R Sent: Thursday, May 24, 2012 6:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI & VOIP Soft Phones Hi Bob, Here's a document that might help: https://www.pcisecuritystandards.org/documents/protecting_telephone-based_pa yment_card_data.pdf As others have said - best to consult your QSA. I personally prefer using a POTS for this... -- Tom Davis, CISSP, CISM Chief Security Officer Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/tdavis On May 23, 2012, at 5:30 PM, Bob Henry wrote:
We have a request to assist in setting up a call center that will solicit contributions and accept payment with credit cards. The group wants to use soft phones on the PC's where they will be also be entering CC information in order to spend less than it would cost for hardware phones. The PC's are clearly in-scope for PCI and my gut says having the soft phone on the PC brings our VOIP system into scope for PCI compliance which is a nightmare. My strong recommendation is for the group to use a hardware phone which is not on the CC VLAN. Does anyone have any experience or wise words on the topic? Thanks, Bob Robert Henry, CISSP ISO & Director of Information Security Services Acting Director, OIT Development Services Boise State University 208-426-5701 bhenry () boisestate edu http://oit.boisestate.edu/security
Current thread:
- PCI & VOIP Soft Phones Bob Henry (May 23)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)
- Re: PCI & VOIP Soft Phones John Ladwig (May 24)
- Re: PCI & VOIP Soft Phones Dave Koontz (May 23)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)
- Re: PCI & VOIP Soft Phones Davis, Thomas R (May 24)
- Re: PCI & VOIP Soft Phones Brad Judy (May 24)
- Re: PCI & VOIP Soft Phones Mike Leach (May 24)
- Re: PCI & VOIP Soft Phones Jeff Moore (May 23)