What is PCI?
PCI refers to Payment Card Industry standards, which all merchants must comply with when conducting payment card transactions. The PCI standards provide guidelines for conducting transactions in many different circumstances. The guidelines include practices merchants must follow in the case of receiving payment card information by telephone. At U-M, the Treasurer’s Office manages credit card processing and PCI compliance for the university.
Is Zoom Phone PCI Compliant?
With limits, the U-M Treasurer has approved Zoom Phone as a means U-M merchants can use to receive cardholder data from customers.
Zoom Phone may be used to receive cardholder data at U-M under these conditions:
- A physical deskset must be used. The “soft phone” implementation of Zoom Phone, by which one makes phone calls using an app running on a device, may not be used.
- The physical deskset must be set up as a “common-area” phone, which means the number is not associated with one particular user’s identity.
- The common-area phone must have the following features disabled by ITS when the phone is installed: call recording, call forwarding, and voicemail.
How can my department arrange for a Zoom Phone that can be used to receive cardholder data?
Departments may use the Service Request System (SRS) to order all types of telephone service, including common-area phones suited for PCI use. An installation option is being developed specifically for PCI-ready phones. Until that option is developed you can specify the needs in a note in the ordering section, or reach the ITS telephone staff for assistance at [email protected].
Can I connect a Zoom deskset from home?
A Zoom common-area deskset can generally be connected to other networks, including from a staff member’s home working location. The phone must be connected to a hardwired Ethernet jack; or in some home environments, this may require installing a WiFi adapter, which is a device that provides wireless connectivity through a USB port on the phone.
Do I need a separate phone for home and for office?
Yes. The common-area desk set described above cannot be relocated from home to office locations; it must remain static in the location associated with it for 911 emergency purposes. Depending on workflow needs, a second desk set must be ordered in situations where a U-M merchant takes cardholder data over the phone from home. Departments planning for staff needs may consult with the ITS telephone staff for assistance at [email protected].
Can cardholder data be taken by call center staff?
If using Zoom Phone, a common-area deskset as described above must be used in any circumstance where a U-M merchant takes cardholder data over the phone. Some U-M call centers use Zoom Queue as their back end; a common-area phone can be served by Zoom Queue.
What if I need a phone with regular Zoom Phone features like call forwarding and voicemail?
A common-area deskset as described above must be used in any circumstance where a U-M merchant takes cardholder data over the phone. Workflows vary greatly between campus merchants. In some circumstances it may be necessary to provide a deskset exclusively for accepting credit card information, while staff use fully featured telephones for regular tasks.
What are the alternatives to taking cardholder data by phone?
The U-M Treasurer’s Office manages credit card processing and PCI compliance for the university, and can advise campus merchants on acceptable options.
Where can I find more information?
- Consult with U-M Treasurer’s Office. Resources are available at https://finance.umich.edu/treasury/merchant-services
- Consult with ITS telephone team at [email protected]
- Refer to the following Knowledge-base (KB) articles: