Excellent article on this topic can be found at The Merchant Account Blog:
Note: Most VoIP providers do not utilize encryption
When these terminals are connected to a true analog phone line the merchant is operating within PCI Compliance. This is so because it is very unlikely that data can be stolen over an old fashion telephone line while processing credit card payments. An attacker would have to tap into your home or business phone line to steal credit card data and that is highly unlikely to happen so this is rated as very low risk.
VoIP is very susceptible to Man-in-the-middle attacks, where an attacker can eavesdrop or alter the originating message by anyone on the internet; in this case capturing your customers sensitive credit card information. Most credit card phone line processing terminals won't work over VoIP services because of dropped packets, but even failed attempts to try and process credit cards over VoIP could lead to an attacker stealing customer credit card data. See diagram below.
Many of these credit card terminals also have an Ethernet Port (RS232) and can easily process customer credit card payments via an encrypted connection over the internet. You may need to contact your credit card processing provider to help you get it setup; usually at no additional cost! See picture below.
Another work around is to switch to a Wireless Credit Card Terminal. Note, these terminals incurre higher business expenses as compared to a dial-up phone line terminal. These terminals use GPRS/ Cell phone technology just like moble phones do to securely connect and encrypt the credit card transaction, which is PCI compliant. A wireless credit card processing terminal is great for businesses who sell goods or services on the road. See Wireless Credit Card Terminal below.
Wireless Credit Card Processing Terminal
Be careful out there!
Julius, MBA, CISSP, CISA