Is it possible to make FreePBX PCI compliant

We are looking to implement FreePBX in our call centre but before we make this decision I would like to know if it is possible to make FreePBX PCI compliant?
Any info on this topic will be greatly appreciated.

Payment Card Industry (PCI) compliance depends largely on what you are storing on the server, so the answer could be anything from “sure” to “Oh, hell no.”

As a general rule, there are no PCI data elements stored on the server, so it shouldn’t be an issue. Of course, when you implement the system, you could mess that up, so it really depends.

The system comes with a firewall built into the system and lives happily behind other firewall systems. Properly configured, the native system should meet the requirements of the PCI guidelines. The web interface and database access are limited to the local network and local host (respectively), and the integrated firewall provides additional safeguards in both of these areas.

The only “hole” in the system is SIP access, and then the challenge is whether or not you are using it in the datacenter or if you are allowing telecommuting.

A properly configured, well-managed server maintained in the local network is relatively easily PCI compliance capable. Hosted solutions and cloud computing systems would harder (since you don’t have as much control) but should still be relatively straightforward to set up and get sertified.

Hi Dave,
Thanks for the info, what about call recordings, can the credit card information be somehow blanked out or is there a way of setting up keypad payment option?


Call recordings are an interesting issue. There are several ways that you can handle this. The first, and most obvious, is to not allow call recording. That solves the problem from the outset. The way one of my customers handled that was to let the ‘front line’ CSRs handle everything but the PCI data and we record their calls for training, etc. When the time comes for Card Information to be handled, we transfer the call to a smaller workforce that handles the CC info. These servers are set up to not record anything except the fact that a call was transferred to the Credit Card handler.

Another method, which isn’t quite as PCI, but just about as secure, is to record the calls and then ship them off to a new server (once they’ve been converted to MP3) for long-term, write-only storage. This can be done through a hook in the “post call process script” settings, or can be done “in bulk” systematically throughout the day.

The problem with recording files is that they are going to capture all of the RTP traffic, which will include any codes or numbers transmitted by keypad from either the CSR or the customer. You have to be diligent about maintaining your recording storage if you are going to record calls.

There is an ability to pause recordings specifically for this

If you are looking for indemnification, it may be best to use a vendor. There are many good reasons to go with a company that has specialty built software and is aware of the details of the law.

If you were looking to do something yourself, look at this:

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.