On Wed, Oct 19, 2011 at 6:42 PM, Geoffrey Mina <gmina at connectfirst.com> wrote:
That's the example scenario I'm working on. ?We are public internet to our itsp. There are call center agents on our network taking CC info on the phone. They are claiming that for pci 1 they can't use a service like ours.
The PCI glossary specifically identifies wireless networks as a "public network." (In the body, it specifically mentions GSM). To extend PCI requirements to the communications link between merchant and customer, albeit an interesting idea, would suggest that the merchant should not accept a credit card # from a customer, if the merchant knows the customer is on a GSM phone. That said, because of the way PCI is written, I can see a customer's VoIP infrastructure coming within scope if they have no internal network segmentation. (PCI essentially says, if you don't segment the cardholder data from everything else, everything's in scope). A simple VLAN might take care of this problem for them. As an FYI, there are no "additional" PCI security requirements, per se, for a Level 1 merchant. Level 1 merchants have additional requirements in terms of "validation" ... they can't do a self-assessment questionnaire, and must instead hire an auditor, but the actual security rules are the same for everyone. -jbn