Showing results for 
Search instead for 
Did you mean: 

VoIP & PCI Compliance

Gordon Ross

Has anyone good any good pointers on PCI Compliance with VoIP systems ? (e.g. CallManager)

Some things I'm seeing on the 'net say that any phone call involving credit card information should only go over analogue exchange lines.

My naive understanding, is that if the VoIP system isn't storing the phone call, then PCI doesn't apply.


Please rate all helpful posts.
3 Replies 3

Chris Deren
Hall of Fame Master Hall of Fame Master
Hall of Fame Master


If you read the PCI for voice requirments you will notice it is extremely vague, and I've dealt with it at several financial customers especially on contact center side and they all interpret it differently.  The big thing as you notice is storage of the credit card CVV codes, which you do not have to worry about on the UC side, only on contact center side if this is collected as that cannot be stored.  Good thing about products such as CVP is that you can simply filter those variables out from any logging, reporting, etc.



Good answer from Chris (+5)

Yes, it is all very vague. Phone systems themselves tend not to fall under PCI per se, however where most customers get caught out is with ancillary applications such as call recording.

Again, the PCI guidelines for call recording are vague and basically state that you are not allowed to store CVV/CV2 numbers, unless you're unable not to store them. Very helpful.

My experience with PCI & call recording in particular is not to store the CVV/CV2 numbers under any circumstances. There are a number of solutions available to assist with this, but are dependant on the call recording platform being used.

Generally SRTP can't be used with call recording solutions. If you do try it, you'll find the recorded conversations are very secure, although slightly difficult to replay

HTH. Barry

Thanks Barry & Chris. Your comments mirror my thoughts.

I was given a link to which says that for CUCM to be PCI Compliant, you have to use encryption everywhere.

What makes things harder, is that there doesn't seem to be a consensus in the PCI industry as to what the rules are.

The thing that makes me laugh, is that the payment industry says that the best way of handling credit card details on fax & PDQ machines is to connect them to analogue exchange lines: As if analogue lines are somehow more secure than a VoIP phone system !


Please rate all helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers