Call centers with VoIP phones could expand PCI scope
December 3rd, 2008 by admin Posted in Compliance, Merchant, Service ProviderI have always said I could talk for half a day on the scoping considerations of call centers. They are complex beasts that exist for the purpose of servicing customers, which often involved either accepting or retrieving cardholder data. I won’t go into every detail of call center compliance in this post, but I do want to bring up the topic of scope.
Last weekend I was speaking with an engineer who installs VoIP connections for enterprise corporations. I asked him if the voice and data networks were ever separated, and he said “no” due to quality of service (QoS) purposes. I then asked about the data port usually connected to most VoIP phones and if it could be used to access the data network. Of course, it could access the network thus leading me to think that every call center that uses these phones could be seen as risk. Someone could enter a facility with poor physical security controls, or even a temporary employee, and install a device on the network.
Remember, the scope of the Cardholder Data Environment (CDE) is any system that “stores, processes, or transmits” cardholder data or “any connected system”. It is the connected system that companies should explore. Companies should examine the different attack vectors and how those could negatively impact the security of cardholder data. The implementation of insecure VoIP phones in a company could expand the scope of compliance.
Many times I work with companies to remove their call centers from scope (depending on the service offered) so they can reduce the overall cost of compliance. The problem is that unregulated systems such as these could expand the scope once again. I recommend reading JJ’s post on Securing Multiple Device Auth on 802.1X. I don’t know many companies that use 802.1X authentication but it can certainly help reduce the risk of unauthorized or rogue devices.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “Call centers with VoIP phones could expand PCI scope”
By MPC Call Center Services on Dec 5, 2008
I work for a call center and we take security very seriously. Many times people think data attacks can come from attacks on security vulnerabilities in software, but no ever imagines a thief to be creative enough to install devices within ones own system to moderate data streams. In our facility, we have all server environments pretty locked down. I know whats happening on my network at all times but I also work for a large center. I believe your article is very useful for smaller centers who are using the current technology but are unfamiliar with the seriousness of network security.
By Ward Spangenberg on Dec 8, 2008
If he is implementing VoIP in that manner he should be shot. Good VoIP design always has separate VLAN access from Data. You actually create QoS problems by trying to put both types of data into the same pipe(VLAN). Troubleshooting also becomes a bear.
Pass my name along to him - tell him that I have created a VoIP Security Assessment framework and would happily demonstrate to him that he can build secure VoIP networks and protect data too no matter how big or small.
By Michael Dahn on Dec 9, 2008
@MPC yes in a secure environment the scope can be reduced. I want to make sure call centers have identified this as a risk and taken the necessary security measures to protect against it.
By Cheap Voip Service on Jul 14, 2009
Great article. The husband and I dumped landlines for voip about 2 years ago and haven’t looked back since. Our friends are cell phone only but we only have prepaid so this works out. Thanks!