Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

VoIP & PCI Compliance

Has anyone good any good pointers on PCI Compliance with VoIP systems ? (e.g. CallManager)

Some things I'm seeing on the 'net say that any phone call involving credit card information should only go over analogue exchange lines.

My naive understanding, is that if the VoIP system isn't storing the phone call, then PCI doesn't apply.

GTG

Please rate all helpful posts.
Everyone's tags (1)
3 REPLIES
Hall of Fame Super Silver

VoIP & PCI Compliance

Gordon,

If you read the PCI for voice requirments you will notice it is extremely vague, and I've dealt with it at several financial customers especially on contact center side and they all interpret it differently.  The big thing as you notice is storage of the credit card CVV codes, which you do not have to worry about on the UC side, only on contact center side if this is collected as that cannot be stored.  Good thing about products such as CVP is that you can simply filter those variables out from any logging, reporting, etc.

HTH,

Chris

Gold

VoIP & PCI Compliance

Good answer from Chris (+5)

Yes, it is all very vague. Phone systems themselves tend not to fall under PCI per se, however where most customers get caught out is with ancillary applications such as call recording.

Again, the PCI guidelines for call recording are vague and basically state that you are not allowed to store CVV/CV2 numbers, unless you're unable not to store them. Very helpful.

My experience with PCI & call recording in particular is not to store the CVV/CV2 numbers under any circumstances. There are a number of solutions available to assist with this, but are dependant on the call recording platform being used.

Generally SRTP can't be used with call recording solutions. If you do try it, you'll find the recorded conversations are very secure, although slightly difficult to replay

HTH. Barry

VoIP & PCI Compliance

Thanks Barry & Chris. Your comments mirror my thoughts.

I was given a link to

http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Retail/PCI_Retail_DIG.html which says that for CUCM to be PCI Compliant, you have to use encryption everywhere.

What makes things harder, is that there doesn't seem to be a consensus in the PCI industry as to what the rules are.

The thing that makes me laugh, is that the payment industry says that the best way of handling credit card details on fax & PDQ machines is to connect them to analogue exchange lines: As if analogue lines are somehow more secure than a VoIP phone system !

GTG

Please rate all helpful posts.
2815
Views
15
Helpful
3
Replies
CreatePlease to create content