Here's the set up. We have a standard VoIP PC and IP phone connection that has been working very good. The PC is plugged into an
IP phone which is plugged into either a Cisco 3750 or 6509 switch. The PC is in a different vlan and IP address space than the IP
phone - and standard VoIP QOS applied to the switches and network infrastructure. We're following the Cisco QOS SRND recommendations and all is working well.
The PC processes and sends credit card information out onto the network so we are required to segment that traffic and the PC
from the rest of the non-credit card data flow. This we are doing to follow PCI compliance rules.
Now for the question. Since the PC traffic passes through the IP phone, does that make the phone 'in scope' and therefore
all the rules of PCI compliance apply to the IP phone as well?
Second question: If the answer to the first question is 'Yes,' then are the PBX systems that connect to that phone, and the
HTTP/tftp servers that send the config files to the phone in scope also? (We use Avaya IP phones and all the Avaya IP PBX seerver systems.)