topic Re: PCI and VOIP - Suggestions to limit scope? in Integration and Testing

PCI and VOIP - Suggestions to limit scope?

AjubaGomes — Thu, 03 Oct 2019 17:29:02 GMT

We just replaced our digital phone system with a Cisco VOIP phone system.

My company has about 1000 phones across the organization. Only about 10-15 phones/users take down credit cards over the phone. We do NO phone recording.

Our computers/physical areas are already fully secured and compliant. However, the phones were a bit of an afterthought.

Do you guys have any suggestions on limiting scope? Based on the pdf: "Protecting Telephone-Based Payments Special Interest Group", the ideas that pop-out are:

Convert 10-15 phones to a Cloud solution or Analog/POTS line. These phones would be in a firewalled network that can only talk to the cloud provider. The Cloud solution would need to be "PCI compliant". In this scenario, would the scope just be the 10-15 phones, the firewall, and the Cloud provider?
Bring in the entire existing phone system into the CDE and harden everything.
Spin up a new internal phone system just for these 10-15 phones that would be considered a part of the CDE
Thanks in advance!

Re: PCI and VOIP - Suggestions to limit scope?

Renaissance — Fri, 04 Oct 2019 00:47:27 GMT

@AjubaGomes

That’s an interesting question. Just an FYI, auth.net has very little to say about PCI compliance other than that they are PCI compliant, accept Hosted is SAQ A, etc. You can search the website.

With that said, this is a good question. I take it you are a SAQ D scope merchant? And my next question is how is it that you have determined your VOIP systems are within the CDE? To me it sounds a little 50 yard line ish and I am leaning towards your VOIP are not in the CDE at all.

Re: PCI and VOIP - Suggestions to limit scope?

leneolivarezu — Wed, 28 Aug 2024 07:58:37 GMT

You're considering securing your phone system, especially for those handling credit card data. Isolating the 10-15 phones to a cloud solution or POTS line is a practical way to limit your scope while ensuring compliance. By firewalling these phones and providing the PCI-compliant cloud provider, you could reduce the scope to just those phones, the firewall, and the provider.

Re: PCI and VOIP - Suggestions to limit scope?

Atmosgek — Thu, 09 Oct 2025 14:32:58 GMT

I ran into something similar and ended up avoiding VoIP altogether for any card data paths. For other communication, I switched to using sms.to for sending out payment links, which kept everything out of scope and way easier to manage. Took a load off the compliance side too since nothing sensitive goes through the phone lines anymore.

Re: PCI and VOIP - Suggestions to limit scope?

Duncantr — Mon, 13 Oct 2025 14:12:54 GMT

We had a similar setup at work where only a small group handled payments. We ended up isolating those phones onto a separate network with strict firewall rules. It made scope much smaller and easier to manage. The rest of the phones stayed on the normal system. Also, using solid call center software helped track who’s taking payments without overcomplicating things.