Yesterday I had yet another call with a mega-retailer on safeguarding VOIP communications in the enterprise, per the PCI requirements.
The problem is, if you don’t encrypt your VOIP traffic when you implement the telecom system (so that your entire corporate network is not in scope of the PCI audit), you are left having to segment off the VOIP traffic in the enterprise since some of it contains credit card numbers spoken over the phone.
If a general digital PBX supports the entire company’s VOIP system, including hundreds of distributed retail outlets, it would be very expensive and difficult to segment off the use of the network for potential credit card traffic. The same isn’t true if it’s a call center VOIP system only, since then the normal network segmentation practices would apply.
This retailer who does have a general PBX system supporting the entire enterprise operation, had checked with some of their fellow retailers and all were running into the same issue. I didn’t have any solutions that I could pull out that were practical and proven.
If any of you have, please chime in.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.