FundSvcs Community

 View Only

  • 1.  VOIP and IVR

    Posted 11-08-2023 01:53 PM

    Hello!

    We recently went through an internal audit to evaluate our adherence to PCI standards.  We currently accept credit card donations over the phone (VoIP) and this was flagged during the audit.  I'm wondering what others have done to avoid the acceptance of credit card data from donors over VoIP?  Do you have a separate non VoIP phone that can only be used?  Do you have some sort of IVR solution?  I would be very interested to hear which IVR vendors anyone is using?

    Thanks so much!

    Jen



    ------------------------------
    Jennifer Schillaci
    The University of Chicago
    jschillaci@uchicago.edu
    ------------------------------


  • 2.  RE: VOIP and IVR

    Posted 11-08-2023 02:02 PM
    Firewalls can protect internal VoIP activity - and as with the mail, you cannot control what the donor is using on their end. Do you have firewalls? If not, there's your solution. If you do, then was the audit more about what you do with the credit card information once it has been shared?

    Here's a useful article:



    John H. Taylor
    Principal
    John H. Taylor Consulting, LLC
    2604 Sevier St.
    Durham, NC   27705
    919.816.5903 (cell/text)

    Serving the Advancement Community Since 1987




    Original Message


  • 3.  RE: VOIP and IVR

    Posted 11-08-2023 02:09 PM
    I just found this FAQ on the subject on a Salesforce site:


    I read a few other pieces on the subject - most of which were more concerned about storing credit card information in the phone system, such as when allowing someone to leave a voicemail.

    John

    John H. Taylor
    Principal
    John H. Taylor Consulting, LLC
    2604 Sevier St.
    Durham, NC   27705
    919.816.5903 (cell/text)

    Serving the Advancement Community Since 1987





    Original Message


  • 4.  RE: VOIP and IVR

    Posted 11-09-2023 10:08 AM
    I would be a little surprised if your VOIP system was not behind a firewall already.  But if not, definitely do so if you want to continue this method of acceptance.

    PCI DSS 4.0 does not directly address VOIP issues, however, it is still in scope.

    Even with firewall protection, many organizations will move beyond local CC# acceptance via phone.  

    CampusGuard did our external audit
    https://campusguard.com/post/pci-and-voip-do-not-pass-go/

    Dave Woodley 
    Chief Data Officer
    Unlock * Share * Connect
    Office of Data Services
    University of Alaska Foundation
    907-786-1373
    make a gift! engage.alaska.edu
    Join us for Alaska: universityforalaska.com




    Original Message


  • 5.  RE: VOIP and IVR

    Posted 11-09-2023 12:13 PM
    The simplest solution, if it meets your requirements, is to descope your entire agent environment (the person answering the phone, their computer, and its network) from PCI, by using PCI solutions for agent-assisted payments. Those solutions do two things: first, they hide relevant payment data from your agent - your agent can't hear the donor/payor speaking their cc information, or the tones used to punch in that information, and they can't see the numbers populate on their screen either. Second, they prevent any of that same information from entering your network and data systems. 

    Not all IVR or similar systems work this way, so it's important to ensure that the solution truly will descope your environment. If you're relatively low-volume, this may not be worth the cost. On the flip side, securing your own system when using VOIP is pretty challenging in all but the simplest environments, so it might make more sense to discontinue accepting payments over the phone instead. 


    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151
    isaac@sage70.com

    Schedule a 30-minute consultation now:





    Original Message


Related Content