developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

PCI and VOIP - Suggestions to limit scope?

We just replaced our digital phone system with a Cisco VOIP phone system.

My company has about 1000 phones across the organization. Only about 10-15 phones/users take down credit cards over the phone. We do NO phone recording.

Our computers/physical areas are already fully secured and compliant. However, the phones were a bit of an afterthought.

Do you guys have any suggestions on limiting scope? Based on the pdf: "Protecting Telephone-Based Payments Special Interest Group", the ideas that pop-out are:

  • Convert 10-15 phones to a Cloud solution or Analog/POTS line. These phones would be in a firewalled network that can only talk to the cloud provider. The Cloud solution would need to be "PCI compliant". In this scenario, would the scope just be the 10-15 phones, the firewall, and the Cloud provider?

  • Bring in the entire existing phone system into the CDE and harden everything.

  • Spin up a new internal phone system just for these 10-15 phones that would be considered a part of the CDE

  • Thanks in advance!

     
AjubaGomes
Member

‎10-03-2019 10:29 AM

0 Kudos
4 REPLIES 4

@AjubaGomes

That’s an interesting question. Just an FYI, auth.net has very little to say about PCI compliance other than that they are PCI compliant, accept Hosted is SAQ A, etc. You can search the website.

With that said, this is a good question. I take it you are a SAQ D scope merchant? And my next question is how is it that you have determined your VOIP systems are within the CDE? To me it sounds a little 50 yard line ish and I am leaning towards your VOIP are not in the CDE at all.
Renaissance
All Star

‎10-03-2019 05:47 PM

0 Kudos

You're considering securing your phone system, especially for those handling credit card data. Isolating the 10-15 phones to a cloud solution or POTS line is a practical way to limit your scope while ensuring compliance. By firewalling these phones and providing the PCI-compliant cloud provider, you could reduce the scope to just those phones, the firewall, and the provider.

leneolivarezu
Member

‎08-28-2024 12:58 AM

0 Kudos

I ran into something similar and ended up avoiding VoIP altogether for any card data paths. For other communication, I switched to using sms.to for sending out payment links, which kept everything out of scope and way easier to manage. Took a load off the compliance side too since nothing sensitive goes through the phone lines anymore.

Atmosgek
Member

‎10-09-2025 07:32 AM - edited ‎10-09-2025 07:32 AM

0 Kudos

We had a similar setup at work where only a small group handled payments. We ended up isolating those phones onto a separate network with strict firewall rules. It made scope much smaller and easier to manage. The rest of the phones stayed on the normal system. Also, using solid call center software helped track who’s taking payments without overcomplicating things.

Duncantr
Member

‎10-13-2025 07:12 AM - edited ‎10-13-2025 07:12 AM

0 Kudos
Copyright © 2025 Khoros, LLC