We just replaced our digital phone system with a Cisco VOIP phone system.
My company has about 1000 phones across the organization. Only about 10-15 phones/users take down credit cards over the phone. We do NO phone recording.
Our computers/physical areas are already fully secured and compliant. However, the phones were a bit of an afterthought.
Do you guys have any suggestions on limiting scope? Based on the pdf: "Protecting Telephone-Based Payments Special Interest Group", the ideas that pop-out are:
Convert 10-15 phones to a Cloud solution or Analog/POTS line. These phones would be in a firewalled network that can only talk to the cloud provider. The Cloud solution would need to be "PCI compliant". In this scenario, would the scope just be the 10-15 phones, the firewall, and the Cloud provider?
Bring in the entire existing phone system into the CDE and harden everything.
Spin up a new internal phone system just for these 10-15 phones that would be considered a part of the CDE
Thanks in advance!
10-03-2019 10:29 AM
10-03-2019 05:47 PM
You're considering securing your phone system, especially for those handling credit card data. Isolating the 10-15 phones to a cloud solution or POTS line is a practical way to limit your scope while ensuring compliance. By firewalling these phones and providing the PCI-compliant cloud provider, you could reduce the scope to just those phones, the firewall, and the provider.
08-28-2024 12:58 AM