As early as most of us can remember, telephones have represented the most classic conduits for communication. However, the advent of the Internet quickly paved the way for a sea-change of disruption, replacing phones with email, then instant messaging, and finally, VoIP. Although Voice over Internet Protocol has revolutionized digital transmissions across the globe within the past two decades, surprisingly little is known about its origin.
More importantly, using VoIP systems in a campus network can potentially place them in scope for PCI DSS, along with other ramifications. Follow the Arrow Payments team as we trace the origins of VoIP and outline PCI compliance implications for colleges, universities, and on-campus merchants who leverage VoIP for payments.
Traveling through space and time
In its simplest form, VoIP technology converts sound waves into digital “packets of data” and transmits them between IP addresses over the Internet. Initially exploited by the average Joe as a workaround to avoid paying long-distance fees, the potential was only realized once Skype hit the scene.
Besides for making computer voice calls free, Skype developed their own instant messaging feature and even enabled users to use their system to call landlines and cell phones for a small charge.
Communicating in uniform fashion
Once organizations realized that VoIP could host voice and data communications on the same network, they began to create “uniform communication bases”. Such bases could harbor everything from faxes and voicemail to web conferences, and allowed larger organizations to cut costs by taking advantage of existing network infrastructures.
Scoping for compliance
Even though unified communications were a boon for most, those transporting sensitive data quickly noticed its pitfalls. One of them being higher education institutions.
The PCI Security Standards Council confirmed the observation, issuing an FAQ response in 2012:
“PCI DSS requirements apply wherever account data is stored, processed, or transmitted. While PCI DSS does not explicitly reference the use of VoIP, VoIP traffic that contains cardholder data is in scope for applicable PCI DSS controls, in the same way that other IP network traffic containing cardholder data would be.”
To paraphrase, any on-campus merchant that operates on VoIP and takes phone calls where customers speak or key-enter their cardholder data is in scope for PCI DSS. Think about how your university solicits donations with a phonathon, or when the bursar’s office accepts payments for tuition. Additionally, if the system itself is part of the campus network, it exposes the entire system to scoping.
If that alone wasn’t enough, we also know that the presence of VoIP can instantly transform a SAQ-B merchant with just 41 controls into a SAQ-D merchant with over 331!
Boiling it down to basics
The immediate question that follows is, how can you secure VoIP at your college or university without disrupting day-to-day operations? Our answer is, let us do it for you.
Circling back to the concept of “packets of data”, those containing voice are sensitive to delay, also known as jitter. Some securitization techniques can slow down the flow of data, meaning that a robust VoIP architecture supported by hardware solutions is needed on campus.
Good news is, this is our “bread and butter”. We’ve worked with a number of campuses, including Northwestern University, to successfully reduce PCI scope and secure priceless cardholder data. Schedule a quick call with us to learn how we implement PCI-validated P2PE solutions to secure payments, ensure compliance, and maintain business operations here: