[VoiceOps] PCI Compliance and VoIP
Justin B Newman
justin at ejtown.org
Wed Oct 19 20:20:24 EDT 2011
On Wed, Oct 19, 2011 at 6:42 PM, Geoffrey Mina <gmina at connectfirst.com> wrote:
> That's the example scenario I'm working on. We are public internet to our itsp. There are call center agents on our network taking CC info on the phone. They are claiming that for pci 1 they can't use a service like ours.
>
The PCI glossary specifically identifies wireless networks as a
"public network." (In the body, it specifically mentions GSM). To
extend PCI requirements to the communications link between merchant
and customer, albeit an interesting idea, would suggest that the
merchant should not accept a credit card # from a customer, if the
merchant knows the customer is on a GSM phone.
That said, because of the way PCI is written, I can see a customer's
VoIP infrastructure coming within scope if they have no internal
network segmentation. (PCI essentially says, if you don't segment the
cardholder data from everything else, everything's in scope). A simple
VLAN might take care of this problem for them.
As an FYI, there are no "additional" PCI security requirements, per
se, for a Level 1 merchant. Level 1 merchants have additional
requirements in terms of "validation" ... they can't do a
self-assessment questionnaire, and must instead hire an auditor, but
the actual security rules are the same for everyone.
-jbn
More information about the VoiceOps
mailing list