Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4506
Views
15
Helpful
3
Replies

VoIP & PCI Compliance

Gordon Ross
Level 9
Level 9

‎02-27-2012 10:05 AM - edited ‎03-16-2019 09:48 AM

Has anyone good any good pointers on PCI Compliance with VoIP systems ? (e.g. CallManager)

Some things I'm seeing on the 'net say that any phone call involving credit card information should only go over analogue exchange lines.

My naive understanding, is that if the VoIP system isn't storing the phone call, then PCI doesn't apply.

GTG

Please rate all helpful posts.
Labels:
0 Helpful
3 Replies 3

Chris Deren
Hall of Fame
Hall of Fame

‎02-27-2012 10:23 AM

Gordon,

If you read the PCI for voice requirments you will notice it is extremely vague, and I've dealt with it at several financial customers especially on contact center side and they all interpret it differently.  The big thing as you notice is storage of the credit card CVV codes, which you do not have to worry about on the UC side, only on contact center side if this is collected as that cannot be stored.  Good thing about products such as CVP is that you can simply filter those variables out from any logging, reporting, etc.

HTH,

Chris

barry
Level 7
Level 7
In response to Chris Deren

‎02-27-2012 10:53 AM

Good answer from Chris (+5)

Yes, it is all very vague. Phone systems themselves tend not to fall under PCI per se, however where most customers get caught out is with ancillary applications such as call recording.

Again, the PCI guidelines for call recording are vague and basically state that you are not allowed to store CVV/CV2 numbers, unless you're unable not to store them. Very helpful.

My experience with PCI & call recording in particular is not to store the CVV/CV2 numbers under any circumstances. There are a number of solutions available to assist with this, but are dependant on the call recording platform being used.

Generally SRTP can't be used with call recording solutions. If you do try it, you'll find the recorded conversations are very secure, although slightly difficult to replay

HTH. Barry

Gordon Ross
Level 9
Level 9
In response to barry

‎02-28-2012 12:25 AM

Thanks Barry & Chris. Your comments mirror my thoughts.

I was given a link to

http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Retail/PCI_Retail_DIG.html which says that for CUCM to be PCI Compliant, you have to use encryption everywhere.

What makes things harder, is that there doesn't seem to be a consensus in the PCI industry as to what the rules are.

The thing that makes me laugh, is that the payment industry says that the best way of handling credit card details on fax & PDQ machines is to connect them to analogue exchange lines: As if analogue lines are somehow more secure than a VoIP phone system !

GTG

Please rate all helpful posts.
0 Helpful
Customers Also Viewed These Support Documents