What Is PCI Compliance, and Why Is It Essential for Cloud Phone Systems?

When choosing a cloud phone system, it's crucial to consider many factors during your decision-making process. Evaluating questions like "Does the VoIP service integrate with other software that my business uses (like Salesforce or Zendesk)?" and "Can my staff members who frequently travel for business still utilize this VoIP platform?" will help you make the best decision—and find the best fit—for your business.

One important factor that you should add to your list is: "Is this VoIP service PCI compliant?" PCI compliance can tell you a lot about a service provider beyond just ensuring that your credit card information is secure. We'll explain more in this blog post.

What Is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) was established in 2004 when the major credit card companies combined efforts to combat credit card fraud. PCI compliance requirements direct businesses on how to maintain a secure network, as well as how to store and transmit customers' credit card information when a card is used in a purchase transaction.

These requirements are specifically designed to promote card protection and security, and they address matters that range from network configuration to company policy. Presented in twelve guidelines, some examples include:

  • Installation and proper configuration of a firewall
  • Protection of credit card numbers and billing information through encryption, masking, truncation, and the like
  • Protection of the company's network and hardware by using up-to-date anti-virus software
  • Use of unique user IDs and strong passwords to restrict access to cardholder data
  • Consistent monitoring of company systems and software to uncover any new security vulnerabilities

Following the implementation of the PCI DSS, the major credit card companies founded the Payment Card Industry Security Standards Council (PCI SSC) to oversee and update the PCI standard on an ongoing basis.

The PCI standard promotes cardholder security and consumer privacy.

Surprisingly, U.S. federal law does not mandate that businesses comply with the PCI standard (though a few states have laws that deal with PCI compliance). However, when you sign contracts with major credit cards that allow you to accept their cards at your business, you also agree to observe their rules—and that includes following PCI requirements.

OnSIP: A PCI-Compliant Cloud Phone System

Depending on the size of the business and individual card rules, there are a variety of ways to become PCI compliant. Smaller businesses can, once a year, complete and submit a self-assessment questionnaire that details the company's infrastructure and security practices; SMBs must also perform quarterly scans of their network and submit the results. Larger businesses will need to be audited by a Qualified Security Assessor, an individual or entity that is certified by the PCI SSC.

OnSIP is proud to be certified as a PCI-compliant cloud phone system. In addition to conducting quarterly network scans and submitting a self-assessment questionnaire each year, we safeguard our customers' data by building, maintaining, and monitoring a secure network while meticulously following security best practices.

Why You Should Choose a VoIP Provider That Meets PCI Compliance Requirements

"PCI compliance" might not be near the top of your checklist, especially when compared to more pressing needs like specific features or a guaranteed uptime percentage. However, you should select a phone system that fulfills PCI security requirements for these reasons:

The Service Has a Secure Network and Implements Strong Security Practices

Much of the PCI standard is devoted to security: securing devices, securing data, and securing system passwords. For a VoIP provider to become PCI compliant, they have to have policies and procedures in place that promote security throughout all levels of the organization.

Routers, servers, and other network infrastructure devices will be protected by strong passwords and have other access restrictions. Properly configured firewalls and anti-virus software will guard the entire network from hackers seeking to gain unauthorized access. And the provider will communicate its internal security policies to its employees and enforce those policies on a daily basis.

PCI compliant cloud phone systems implement strong and secure passwords.

By selecting a PCI-compliant cloud phone system, you can be sure that the provider is doing everything it can to offer a secure business phone service.

The Service Actively Monitors for Potential Security Vulnerabilities and Other Critical Network Alerts

A cloud phone service that meets PCI requirements will also have automatic checks in place that monitor for security vulnerabilities and other critical alerts in its software. This 24/7 monitoring will help the service's IT team uncover and fix security weak points in the service.

Additionally, the monitoring software that the service deploys will also alert the IT team to potential service-impacting events before they occur. These events could be a dangerously low level of memory on a particular server or the inability to contact a particular server. Once alerted, the provider's team can take immediate action to address the issue(s) before it impacts customers.

Cloud phone providers will be alerted to important network events.

The Service Secures and Protects Your Credit Card and Billing Information

Finally, a cloud phone system that follows the PCI security standard will secure your credit card and other personal information. Storage and transmission of cardholder data will be protected through processes such as encryption and masking. And access to that data will be restricted to only those employees whose job responsibilities require access to it.

Opt for a Cloud Phone System That Guards Your Personal Info

When researching cloud phone systems for your business, ask each provider if they are PCI compliant. By knowing which providers are and which aren't, you can ensure that you choose a conscientious provider that respects your privacy and vigorously protects your personal information.

Topics: SMB Leadership, Business Technology