VoIP for credit card processing voids PCI Compliance

If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.

13 thoughts on “VoIP for credit card processing voids PCI Compliance

  1. Yes, some VOIP vendors do encrypt packets and paragraph 3 supports that, albeit in different wording. However, Visa & MasterCard officially state (as of December 2008) there is no acceptable VoIP solution that meets PCI Compliance requirements. It doesn’t matter what the VoIP host actually does, says it does, or how it does it. All that really matters is what Visa & MasterCard have deemed acceptable.

    Since all merchants must meet minimum PCI Compliance, there is no acceptable VoIP solution at this time.

  2. Can you please post the link to the page or document in which Visa and/or Mastercard state that no VOIP implementation can be PCI compliant? Thanks.

  3. In order to cut down on the expense of purchasing another land line exclusively
    for my OMNI 3200 credit card processing terminal, I’m want to use a VOIP system. The problem is that the OMNI only works on the old copper wire, and is thus anaolog. Is there a way to convert an anolog signal into digital so that it can be
    used on the computer/ VOIP? I’m confused. The representatives at the credit processing company I use seem cluless or apathetic -or at least not very creative!

  4. Regardless of whether it’s technically feasible, if you did convert it, as this article states, it would not meet Visa & MasterCard compliance requirements. You have alternatives.

    Do you need the terminal?
    If your customers are not present, ie the card is not present when you process the transaction, then you do not need the 3200 at all. With a Virtual Terminal, you need an internet connection only, no phone line, no hardware. Most of my clients get the virtual terminal FREE.

    Are your customers physically present for you to swipe? If the answer is yes, then you need to swipe. You can buy a magnetic card swipe with USB connection and hook it up to your terminal. This is a one time outlay of about $75 for the terminal, and again, you hook it up to your computer with USB. This assumes you have a computer with internet connection at the point of sale. This service is typically $18 per month but can vary depending on your business needs.

    I recommend Magtek card readers. I also recommend you spend the money on a new one to make sure it meets current security requirements since they don’t cost much.

    Those are the only two solutions I know that would enable you to remain PCI Compliant, since the 3200 on VoIP would null that.

  5. OK _ I did a quick search to find the link and couldn’t. However, this post was not done without research even though I can’t put my fingers on the resource at the moment.

    So without finding the specific reference, here is further comment:
    – scenario: The merchant provider installs an approved PCI PED approved terminal onto a land line. The merchant is responsible for ensuring compliance. The merchant now switches to a VoIP application that was not there for the install. Maybe it’s an encrypted solution, maybe not. Is the encryption now end-to-end? Who’s liable in the event of a data loss? No answer needed as it’s a rhetorical question. Does the merchant want to accept the potential liability?

    I don’t know any credit card processors that will knowingly allow anyone to connect to their network using VoIP. That doesn’t mean they are not out there. Everyone WILL reference you back to the PCI Security Standards Council as well as MasterCard & Visa association rules. Can you pass all the requirements using VoIP? If you can answer yes, and your processor will put you on their network, then go ahead.

    related reference IP-enabled POS terminal

  6. Final clarification on this topic. I believe when I wrote the article, the intent was to explain why you can’t just plug your VoIP connection in to your credit card terminal. ie the type of VoIP connection most people are likely to have that have encountered some problems with suppliers telling them about security problems. Thanks to all who provided input, here is the breakout of both types of VoIP issues you may be seeking answers to:

    PCI Compliant terminal with standard VoIP connection is non-compliant. There is no getting around this.

    PCI Compliant terminal with encrypted VoIP may be compliant if the connection meets requirements of all published Visa and MasterCard (and any other types of cards that you are going to swipe) data security rules, including encryptian and firewalls. It must also meet the standards as outlined for your type of business at https://www.pcisecuritystandards.org/

  7. Your question could be interpreted different ways, so I’ll clarify the answer.
    If you are using a secure gateway or secure virtual terminal, then yes, the problem goes away.

  8. This post is so full of holes its ridiculous. You talk about old copper lines. However The Phone company has employed Digital technology to in effect do the exact same thing that voip does only on an internal network. Any number of technical people including employee’s and the like could hack into that network. And while we are on the subject. If the Packet is encrypted to 128 bit standards over a copper line .. how does that encryption go away once it hits the voip lines?? does Voip somehow magically decrypt it? We are still talking about a credit card machine *(modem) creating a network on top of a network and then encrypting the data. There is no information on this post that says the encryption used on credit card terminals is using X encryption which can be cracked easily. This is just fluf and scare tactics. Give some hard evidence before presenting your case…

  9. @Right From Wells Fargo, Fall 2008: If you use Voice over Internet Protocol (VoIP) to transmit transactions over the Internet through your terminal, you should ensure that your VoIP solution is secure. You must use a Secure Socket Layer (SSL) IP converter to ensure that the Cardholder data transmission is safe. Currently, Wells Fargo Merchant Services is aware of three solutions that use an SSL IP converter.They are offered by:
    PrecidiaTechnologieswww.precidia.com, Systech Corporation http://www.systech.com, TechTrex USA Inc. http://www.techtrex.com

    From Visa VoIP Security Vulnerabilities

    From the FBI (addresses VOip security, not PCI ) Because of the inherent vulnerabilities (e.g. susceptibility to packet sniffing) when operating telephony across a packet network, VoIP systems incorporate an array of security features and protocols… In particular, firewalls designed for VoIP protocols are an essential component of a secure VoIP system. Criminal Justice Information Services (CJIS) Security Policy – FBI

    PCI Security Standards Council Information Supplement:
    Protecting Telephone-based Payment Card Data
    PCI Data Security Standard (PCI DSS) 2.0 March 2011. Clarification of the PCI DSS Guidelines for Voice Recordings

Comments are closed.