We continue to hear from our customers that their traditional analog phone lines are being replaced across campus by Voice over Internet Protocol, or VoIP, telephones in which all phone services are provided by a network connection. This transition can have an effect on your PCI compliance program in multiple ways, but perhaps the most significant is connection of any replacement payment card devices or terminals. Bringing in the new system and equipment can, if not done correctly, also bring your connected network into PCI scope.
What are your options if your organization is transitioning to VoIP? At a high level, you can do one of the below:
- Maintain enough analog lines to allow connectivity for analog equipment (along with the payment card terminals, this may include other analog devices like fax machines, emergency phones, and alarm systems).
- Transition the payment card terminals to connect via IP or cellular. Your current terminals may already have this functionality or you may need to contact your acquiring bank to discuss options for new devices. If you are able to use a cellular-connected terminal, you will want to verify cellular service/connectivity within the individual merchant locations. These merchants may still be eligible to complete SAQ B or may have to change over to SAQ B-IP, depending on the way the terminal connects to the cellular network. Merchants that transition to IP-based terminals will now be responsible for completing the SAQ B-IP, which does have additional requirements above and beyond the previously required SAQ B, including the requirement for a segmented network environment. If you already have a defined CDE/PCI network in place, this may not be a huge effort. However, if you have not previously defined a segmented network for payment card activity, the resources and costs needed might be a larger undertaking. Review the SAQ B-IP requirements.
- Implement a Point to Point Encryption (P2PE) solution. Depending on your merchant environment, there may also be options for P2PE solutions that integrate with specific POS applications, thereby also saving your staff from having to perform manual reconciliations. A PCI Council-listed P2PE solution can bring more front-end costs at acquisition, as well as additional gateway/per transaction fees, but when comparing these costs long-term against building a compliant PCI network/environment, most organizations do find that P2PE is the less expensive alternative, with more flexibility as well. Remember, you can confirm that a solution is truly P2PE by visiting the PCI SSC website.
We have seen organizations use an Analog Telephone Adapter (ATA) to connect their current analog devices to a VoIP line. However, ATAs are designed to compress voice traffic and are not designed to handle modem or payment card traffic, so these are generally not recommended due to speed delays and failures. ATAs also generate PCI compliance concerns as the data transmission is not encrypted simply through the use of the device; your VoIP traffic must be secured by your IT Team.
The implementation of VoIP also presents compliance concerns for any merchant that is accepting payment card information over a VoIP phone line. This is considered transmission of cardholder data and will bring your VoIP network into scope for PCI. The PCI SSC provided updated industry guidance on telephone-based payments in November 2018.
If you have questions on what VoIP means for your PCI compliance status or would like to discuss in more detail, please contact us.
Additional guidance from our Security Advisor team below:
[Campbell]: This is once again the attack of the Scope Monster. The first thing we have to acknowledge is that a VoIP network is just a network when it comes to PCI DSS. E.g., the Scope Monster doesn’t care why or how you use a network. If a network is used to transmit or process cardholder data, that network is in PCI DSS scope.
As noted in the article above, this means that both acceptance of cardholder data over a VoIP phone and connecting a payment terminal to a VoIP network bring that network into scope. This might be acceptable and the best path forward for your organization, but given the evolution of the payments industry and the explosion of validated P2PE solutions and the integrations with those solutions, it behooves you to explore available P2PE options, and then weigh costs/benefits. Slay the Scope Monster!