Gartner Blog Network

PCI and VOIP – the impossible requirement

by Avivah Litan  |  March 6, 2013  |  3 Comments

Yesterday I had yet another call with a mega-retailer on safeguarding VOIP communications in the enterprise, per the PCI requirements.

The problem is, if you don’t encrypt your VOIP traffic when you implement the telecom system (so that your entire corporate network is not in scope of the PCI audit), you are left having to segment off the VOIP traffic in the enterprise since some of it contains credit card numbers spoken over the phone.

If a general digital PBX supports the entire company’s VOIP system, including hundreds of distributed retail outlets, it would be very expensive and difficult to segment off the use of the network for potential credit card traffic. The same isn’t true if it’s a call center VOIP system only, since then the normal network segmentation practices would apply.

This retailer who does have a general PBX system supporting the entire enterprise operation, had checked with some of their fellow retailers and all were running into the same issue. I didn’t have any solutions that I could pull out that were practical and proven.

If any of you have, please chime in.


Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Thoughts on PCI and VOIP – the impossible requirement

  1. Jason Murray says:

    As a practicing QSA I’ve seen this more than a handful of times now. There are no easy answers.

    Encrypting the traffic is only really going to help in the scenario that the VoIP system isn’t carrying CHD. If it does carry CHD then it’s in scope and you’re back the problem of how to segment your VoIP network. We’ve explored the concept of a combination of isolation at the IP layer *and* at the call routing layer, but have yet to have a customer pull the trigger on that.

    I’m assuming that they have already isolated voice from data vlans. If they haven’t, or if they want to use soft phones on their computers, that potentially brings a whole bunch of workstations into scope, something people are usually trying to avoid.

    Of course they could always stop taking CHD over the phone, but that is not always a palatable or possible business change.

  2. Avivah Litan says:

    Thanks for the verification. For some reason I thought encrypting the VOIP traffic was enough as a compensating control, but as you point out the VOIP network still has to be segmented.

    I’m left to wonder how QSA’s then are dealing with this. Can you sign off on PCI compliance without addressing and solving the VOIP problem even if it’s not-solvable?

  3. I just want to inform everyone to a new web site called VoIP Spear ( to measure your QoS. It’s the Internet’s best and most accessible QoS testing service. It utilizes packet loss, latency, and jitter to calculate a MOS score between 1 (very poor quality) and 5 (excellent quality) for your Internet connection. VoIP Spear runs 24x7x365 so you can always have an idea of what your VoIP QoS is.

    VoIP Spear shows your QoS in easy-to-read charts. You can also have it send you email alerts when your quality drops too low.

    VoIP Spear is free for personal use.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.