Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Gordon Ross
Gordon Ross Blue
Blue
‎02-27-2012 10:05 AM
‎02-27-2012 10:05 AM

VoIP & PCI Compliance

Has anyone good any good pointers on PCI Compliance with VoIP systems ? (e.g. CallManager)

Some things I'm seeing on the 'net say that any phone call involving credit card information should only go over analogue exchange lines.

My naive understanding, is that if the VoIP system isn't storing the phone call, then PCI doesn't apply.

GTG

Please rate all helpful posts.
Labels:
Everyone's tags (1)
0 Helpful
Reply
3 REPLIES
Chris Deren
Hall of Fame Super Silver Chris Deren Hall of Fame Super Silver
Hall of Fame Super Silver
‎02-27-2012 10:23 AM
‎02-27-2012 10:23 AM

VoIP & PCI Compliance

Gordon,

If you read the PCI for voice requirments you will notice it is extremely vague, and I've dealt with it at several financial customers especially on contact center side and they all interpret it differently.  The big thing as you notice is storage of the credit card CVV codes, which you do not have to worry about on the UC side, only on contact center side if this is collected as that cannot be stored.  Good thing about products such as CVP is that you can simply filter those variables out from any logging, reporting, etc.

HTH,

Chris

Reply
barry
barry Gold
Gold
‎02-27-2012 10:53 AM
‎02-27-2012 10:53 AM

VoIP & PCI Compliance

Good answer from Chris (+5)

Yes, it is all very vague. Phone systems themselves tend not to fall under PCI per se, however where most customers get caught out is with ancillary applications such as call recording.

Again, the PCI guidelines for call recording are vague and basically state that you are not allowed to store CVV/CV2 numbers, unless you're unable not to store them. Very helpful.

My experience with PCI & call recording in particular is not to store the CVV/CV2 numbers under any circumstances. There are a number of solutions available to assist with this, but are dependant on the call recording platform being used.

Generally SRTP can't be used with call recording solutions. If you do try it, you'll find the recorded conversations are very secure, although slightly difficult to replay

HTH. Barry

Reply
Gordon Ross
Gordon Ross Blue
Blue
‎02-28-2012 12:25 AM
‎02-28-2012 12:25 AM

VoIP & PCI Compliance

Thanks Barry & Chris. Your comments mirror my thoughts.

I was given a link to

http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Retail/PCI_Retail_DIG.html which says that for CUCM to be PCI Compliant, you have to use encryption everywhere.

What makes things harder, is that there doesn't seem to be a consensus in the PCI industry as to what the rules are.

The thing that makes me laugh, is that the payment industry says that the best way of handling credit card details on fax & PDQ machines is to connect them to analogue exchange lines: As if analogue lines are somehow more secure than a VoIP phone system !

GTG

Please rate all helpful posts.
0 Helpful
Reply
Latest Documents
Demystifying SIP URI Dialling: CUCM routing logic
Created by Ayodeji Okanlawon on 04-10-2018 05:03 AM
0
35
0
35
 IntroductionCUCM Routing RulesDial String implementation PolicyCUCM Routing LogicSIP URI Call Routing Analysis+++ Case Study: 1 ++++++ Case Study: 2 +++Conclusion Introduction  Over the last few months, I have had the privilege of working on SI... view more
Unable to create VIF interface on ISR G3 / ISR 4K
Created by kishahuj on 03-15-2018 04:29 PM
0
5
0
5
  ISRG3 we need Appx license which includes data and application features to configure VIF interface
RTMT Plugin Installation Error on Windows Machine
Created by Muk AD on 03-09-2018 12:28 PM
0
0
0
0
Hi All, Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers... view more
All Documents
2815
Views
15
Helpful
3
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
SIP TRUNKS and RUN on ALL ACTIVE CM NODES
Created by Ayodeji Okanlawon on 02-07-2014 05:54 AM
26
254
26
254
CUBE SIP Media and Signalling Binding to an Interface
Created by Ayodeji Okanlawon on 04-04-2013 06:48 AM
69
135
69
135
Understanding Expressway SIP messaging
Created by Ayodeji Okanlawon on 10-07-2014 07:00 AM
1
81
1
81
All Blogs