Processing Credit Card Payments Using Credit Card Terminals with VoIP / Digital Phone Lines Is Not PCI Complaint
Millions of people running small businesses; especially home based businesses, also have VoIP (Voice over Internet Protocol) / Digital Phone Line services from their Internet Service Provider (ISP) in their homes and businesses. Many also use Point-of-Sale Terminals made initally for old fashion phone lines; not Digital Lines. If you are a merchant and use a card processing terminal which connects via VoIP or Digital Phone Lines to transmit and process credit card payments, then you are not PCI (Payment Card Industry) compliant; you are at risk of losing your credit card processing privileges or can be sued by your customers whose data is stolen. Credit Card data that is processed over VoIP services are transmitted in the clear over Public Networks (The Internet) and their is no way to encrypt the data.
Excellent article on this topic can be found at The Merchant Account Blog:
Note: Most VoIP providers do not utilize encryption
When these terminals are connected to a true analog phone line the merchant is operating within PCI Compliance. This is so because it is very unlikely that data can be stolen over an old fashion telephone line while processing credit card payments. An attacker would have to tap into your home or business phone line to steal credit card data and that is highly unlikely to happen so this is rated as very low risk.
Excellent article on this topic can be found at The Merchant Account Blog:
Note: Most VoIP providers do not utilize encryption
When these terminals are connected to a true analog phone line the merchant is operating within PCI Compliance. This is so because it is very unlikely that data can be stolen over an old fashion telephone line while processing credit card payments. An attacker would have to tap into your home or business phone line to steal credit card data and that is highly unlikely to happen so this is rated as very low risk.
VoIP is very susceptible to Man-in-the-middle attacks, where an attacker can eavesdrop or alter the originating message by anyone on the internet; in this case capturing your customers sensitive credit card information. Most credit card phone line processing terminals won't work over VoIP services because of dropped packets, but even failed attempts to try and process credit cards over VoIP could lead to an attacker stealing customer credit card data. See diagram below.
Man In The Middle Attack
Work Around To Be PCI Compliant
Many of these credit card terminals also have an Ethernet Port (RS232) and can easily process customer credit card payments via an encrypted connection over the internet. You may need to contact your credit card processing provider to help you get it setup; usually at no additional cost! See picture below.
Another work around is to switch to a Wireless Credit Card Terminal. Note, these terminals incurre higher business expenses as compared to a dial-up phone line terminal. These terminals use GPRS/ Cell phone technology just like moble phones do to securely connect and encrypt the credit card transaction, which is PCI compliant. A wireless credit card processing terminal is great for businesses who sell goods or services on the road. See Wireless Credit Card Terminal below.
More Secure and Convenient Credit Card Processing Method
Wireless Credit Card Processing Terminal
19 Year Old Demonstrates VoIP Hacking - Scary Stuff!
Be careful out there!
Julius, MBA, CISSP, CISA
