PCI compliance and IP phone question.

jkeeffe · ‎09-03-2010

Here's the set up. We have a standard VoIP PC and IP phone connection that has been working very good. The PC is plugged into an

IP phone which is plugged into either a Cisco 3750 or 6509 switch. The PC is in a different vlan and IP address space than the IP

phone - and standard VoIP QOS applied to the switches and network infrastructure. We're following the Cisco QOS SRND recommendations and all is working well.

The PC processes and sends credit card information out onto the network so we are required to segment that traffic and the PC

from the rest of the non-credit card data flow. This we are doing to follow PCI compliance rules.

Now for the question. Since the PC traffic passes through the IP phone, does that make the phone 'in scope' and therefore

all the rules of PCI compliance apply to the IP phone as well?

Second question: If the answer to the first question is 'Yes,' then are the PBX systems that connect to that phone, and the

HTTP/tftp servers that send the config files to the phone in scope also? (We use Avaya IP phones and all the Avaya IP PBX seerver systems.)

CHRIS CHARLEBOIS · ‎09-10-2010

I beleive it would. The phone is technically classified as a switch, so traffic from the PC is segmented from the voice/IP Phone traffic. One caveat is that you probably need to disable 'Span to PC port'. This is disabled by default on all versions that I am aware of, but I sometimes turn it on for troubleshooting purposes or if I am using a PC based recording application.