When choosing a cloud phone system, it's crucial to consider many factors during your decision-making process. Evaluating questions like "Does the VoIP service integrate with other software that my business uses (like Salesforce or Zendesk)?" and "Can my staff members who frequently travel for business still utilize this VoIP platform?" will help you make the best decision—and find the best fit—for your business.
One important factor that you should add to your list is: "Is this VoIP service PCI compliant?" PCI compliance can tell you a lot about a service provider beyond just ensuring that your credit card information is secure. We'll explain more in this blog post.
The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) was established in 2004 when the major credit card companies combined efforts to combat credit card fraud. PCI compliance requirements direct businesses on how to maintain a secure network, as well as how to store and transmit customers' credit card information when a card is used in a purchase transaction.
These requirements are specifically designed to promote card protection and security, and they address matters that range from network configuration to company policy. Presented in twelve guidelines, some examples include:
Following the implementation of the PCI DSS, the major credit card companies founded the Payment Card Industry Security Standards Council (PCI SSC) to oversee and update the PCI standard on an ongoing basis.
Surprisingly, U.S. federal law does not mandate that businesses comply with the PCI standard (though a few states have laws that deal with PCI compliance). However, when you sign contracts with major credit cards that allow you to accept their cards at your business, you also agree to observe their rules—and that includes following PCI requirements.
Depending on the size of the business and individual card rules, there are a variety of ways to become PCI compliant. Smaller businesses can, once a year, complete and submit a self-assessment questionnaire that details the company's infrastructure and security practices. SMBs must also perform quarterly scans of their network and submit the results. Larger businesses will need to be audited by a Qualified Security Assessor, an individual or entity that is certified by the PCI SSC.
"PCI compliance" might not be near the top of your checklist, especially when compared to more pressing needs like specific features or a guaranteed uptime percentage. However, you should select a phone system that fulfills PCI security requirements for these reasons:
Much of the PCI standard is devoted to security: securing devices, securing data, and securing system passwords. For a VoIP provider to become PCI compliant, they have to have policies and procedures in place that promote security throughout all levels of the organization.
Business VoIP routers, servers, and other network infrastructure devices will be protected by strong passwords and have other access restrictions. Properly configured firewalls and anti-virus software will guard the entire network from hackers seeking to gain unauthorized access. And the provider will communicate its internal security policies to its employees and enforce those policies on a daily basis.
By selecting a PCI-compliant cloud phone system, you can be sure that the provider is doing everything it can to offer a secure business phone service.
A cloud phone service that meets PCI requirements will also have automatic checks in place that monitor for security vulnerabilities and other critical alerts in its software. This 24/7 monitoring will help the service's IT team uncover and fix security weak points in the service.
Additionally, the monitoring software that the service deploys will also alert the IT team to potential service-impacting events before they occur. These events could be a dangerously low level of memory on a particular server or the inability to contact a particular server. Once alerted, the provider's team can take immediate action to address the issue(s) before it impacts customers.
Finally, a cloud phone system that follows the PCI security standard will secure your credit card and other personal information. Storage and transmission of cardholder data will be protected through processes such as encryption and masking. And access to that data will be restricted to only those employees whose job responsibilities require access to it.
When researching cloud phone systems for your business, ask each provider if they are PCI compliant. By knowing which providers are and which aren't, you can ensure that you choose a conscientious provider that respects your privacy and vigorously protects your personal information.