VoIP for credit card processing voids PCI Compliance
If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.
This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.
VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.
If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.
Internet, ecommerce, and virtual terminal transactions all use SSL.
There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.
I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.
Tags: gateway, PCI compliance, SSL, voip
January 6th, 2009 at 10:18 pm
You are incorrect. Some VOIP vendors encrypt packets.
January 12th, 2009 at 6:38 pm
Yes, some VOIP vendors do encrypt packets and paragraph 3 supports that, albeit in different wording. However, Visa & MasterCard officially state (as of December 2008) there is no acceptable VoIP solution that meets PCI Compliance requirements. It doesn’t matter what the VoIP host actually does, says it does, or how it does it. All that really matters is what Visa & MasterCard have deemed acceptable.
Since all merchants must meet minimum PCI Compliance, there is no acceptable VoIP solution at this time.
March 3rd, 2009 at 10:55 pm
Can you please post the link to the page or document in which Visa and/or Mastercard state that no VOIP implementation can be PCI compliant? Thanks.
March 9th, 2009 at 4:57 pm
In order to cut down on the expense of purchasing another land line exclusively
for my OMNI 3200 credit card processing terminal, I’m want to use a VOIP system. The problem is that the OMNI only works on the old copper wire, and is thus anaolog. Is there a way to convert an anolog signal into digital so that it can be
used on the computer/ VOIP? I’m confused. The representatives at the credit processing company I use seem cluless or apathetic -or at least not very creative!
March 9th, 2009 at 5:53 pm
Regardless of whether it’s technically feasible, if you did convert it, as this article states, it would not meet Visa & MasterCard compliance requirements. You have alternatives.
Do you need the terminal?
If your customers are not present, ie the card is not present when you process the transaction, then you do not need the 3200 at all. With a Virtual Terminal, you need an internet connection only, no phone line, no hardware. Most of my clients get the virtual terminal FREE.
Are your customers physically present for you to swipe? If the answer is yes, then you need to swipe. You can buy a magnetic card swipe with USB connection and hook it up to your terminal. This is a one time outlay of about $75 for the terminal, and again, you hook it up to your computer with USB. This assumes you have a computer with internet connection at the point of sale. This service is typically $18 per month but can vary depending on your business needs.
I recommend Magtek card readers. I also recommend you spend the money on a new one to make sure it meets current security requirements since they don’t cost much.
Those are the only two solutions I know that would enable you to remain PCI Compliant, since the 3200 on VoIP would null that.
March 9th, 2009 at 6:01 pm
OK _ I did a quick search to find the link and couldn’t. However, this post was not done without research even though I can’t put my fingers on the resource at the moment.
So without finding the specific reference, here is further comment:
- scenario: The merchant provider installs an approved PCI PED approved terminal onto a land line. The merchant is responsible for ensuring compliance. The merchant now switches to a VoIP application that was not there for the install. Maybe it’s an encrypted solution, maybe not. Is the encryption now end-to-end? Who’s liable in the event of a data loss? No answer needed as it’s a rhetorical question. Does the merchant want to accept the potential liability?
I don’t know any credit card processors that will knowingly allow anyone to connect to their network using VoIP. That doesn’t mean they are not out there. Everyone WILL reference you back to the PCI Security Standards Council as well as MasterCard & Visa association rules. Can you pass all the requirements using VoIP? If you can answer yes, and your processor will put you on their network, then go ahead.
related reference IP-enabled POS terminal
March 12th, 2009 at 10:30 pm
I did find Visa’s statement on VOIP here:
http://usa.visa.com/download/merchants/20071228_datasecurityalert_voip.pdf
According to that document, they do not specifically say that VOIP is not PCI compliant. They do say to make sure your VOIP provider uses encryption, use a firewall and have separate lines for voice and data.
I could find mastercard’s statement on VOIP.
March 20th, 2009 at 11:48 pm
If you process your cards through an internet connection, does this problem go away?
March 23rd, 2009 at 5:26 pm
Your question could be interpreted different ways, so I’ll clarify the answer.
If you are using a secure gateway or secure virtual terminal, then yes, the problem goes away.
March 23rd, 2009 at 5:49 pm
Final clarification on this topic. I believe when I wrote the article, the intent was to explain why you can’t just plug your VoIP connection in to your credit card terminal. ie the type of VoIP connection most people are likely to have that have encountered some problems with suppliers telling them about security problems. Thanks to all who provided input, here is the breakout of both types of VoIP issues you may be seeking answers to:
PCI Compliant terminal with standard VoIP connection is non-compliant. There is no getting around this.
PCI Compliant terminal with encrypted VoIP may be compliant if the connection meets requirements of all published Visa and MasterCard (and any other types of cards that you are going to swipe) data security rules, including encryptian and firewalls. It must also meet the standards as outlined for your type of business at https://www.pcisecuritystandards.org/
March 27th, 2009 at 9:00 pm
100 year old cooper wire system has more Encryption than anyone else…. wow