Showing results for 
Search instead for 
Did you mean: 

PCI and VOIP - Suggestions to limit scope?

We just replaced our digital phone system with a Cisco VOIP phone system.

My company has about 1000 phones across the organization. Only about 10-15 phones/users take down credit cards over the phone. We do NO phone recording.

Our computers/physical areas are already fully secured and compliant. However, the phones were a bit of an afterthought.

Do you guys have any suggestions on limiting scope? Based on the pdf: "Protecting Telephone-Based Payments Special Interest Group", the ideas that pop-out are:

  • Convert 10-15 phones to a Cloud solution or Analog/POTS line. These phones would be in a firewalled network that can only talk to the cloud provider. The Cloud solution would need to be "PCI compliant". In this scenario, would the scope just be the 10-15 phones, the firewall, and the Cloud provider?

  • Bring in the entire existing phone system into the CDE and harden everything.

  • Spin up a new internal phone system just for these 10-15 phones that would be considered a part of the CDE

  • Thanks in advance!


That’s an interesting question. Just an FYI, has very little to say about PCI compliance other than that they are PCI compliant, accept Hosted is SAQ A, etc. You can search the website.

With that said, this is a good question. I take it you are a SAQ D scope merchant? And my next question is how is it that you have determined your VOIP systems are within the CDE? To me it sounds a little 50 yard line ish and I am leaning towards your VOIP are not in the CDE at all.
All Star