What is PCI?

PCI refers to Payment Card Industry standards, which all merchants must comply with when conducting payment card transactions. The PCI standards provide guidelines for conducting transactions in many different circumstances. The guidelines include practices merchants must follow in the case of receiving payment card information by telephone. At WSU, the Treasury Services manages credit card processing and PCI compliance for the university.

WSU PCI & Merchant Services Policies

Payment Card Data Security Compliance - BPPM 30.61

Credit or Debit Card Acceptance - BPPM 30.62

Is Zoom Phone PCI Compliant?

Zoom Phone may be used to receive cardholder data at WSU under specific, secure configurations. To ensure compliance, the line used for taking payments must be isolated and have high-risk features disabled. Any device used for taking payments must be a physical desk phone, as the soft phone client (desktop or mobile app) is not compliant for this use.

ITS provides two primary, compliant setups:

Option 1: Secondary Secure Line on a Physical Phone (Recommended)

This method adds a second line (via a Call Queue or Shared Line Group) directly to a user's existing physical desk phone.

This allows a user to use their primary WSU number for regular business (with voicemail, call forwarding, etc.) and a separate, dedicated line for taking credit card payments, all from the same physical device. This avoids the need for a second physical handset on the desk.

  • Conditions for this line:

    • The line must be accessed on a physical Zoom Phone desk phone. Using the soft phone client (desktop or mobile app) to access this line is not PCI compliant.

    • The line must be configured by ITS as part of a secure Call Queue or Shared Line Group.

    • The following features must be disabled by ITS on this secure line: Call Recording, Voicemail, and Call Forwarding.

Option 2: Dedicated Common Area Phone

This method uses a separate, physical desk phone that is not associated with one particular user’s identity.

  • Conditions for this phone:

    • A physical desk phone must be used.

    • The common-area phone must have the following features disabled by ITS when the phone is installed: call recording, call forwarding, and voicemail.

How can my department arrange for a Zoom Phone that can be used to receive cardholder data?

Departments may use a WSU Zoom Request Form to order common-area phones suited for PCI use.

How to Use the Secondary Secure Line for Payments

When you need to take a credit card payment, you must ensure the call is on your dedicated second PCI line.

  • If you receive a call on your primary line, you must transfer the call to your secure secondary line before taking any payment information.

  • If you are making an outbound call, ensure you select the secure secondary line to place the call.

  • Do not use your primary/normal line to process payments.

⚠️ Important: If your primary line is accidentally used to take credit card information, you must immediately contact your ATO (Area Technology Officer) and the WSU Zoom Service Desk. This is critical so measures can be taken to remediate any potential PCI data exposure.

Can I connect a Zoom desk phone from home?

Yes. In both compliant scenarios, a physical desk phone is required. A Zoom desk phone can generally be connected to other networks, including from a staff member’s home working location. The phone must be connected to a hardwired Ethernet jack; or in some home environments, this may require installing a Wi-Fi adapter, which is a device that provides wireless connectivity through a USB port on the phone.

Do I need a separate phone for home and for office?

Yes, if you take payments from both locations.

Whether you use Option 1 (Secondary Line) or Option 2 (Common Area Phone), the physical desk phone used for PCI compliance cannot be relocated between home and office; it must remain static for 911 emergency purposes.

If you need to take payments from both home and the office, a separate, appropriately configured physical desk phone must be ordered for each location.

Can cardholder data be taken by call center staff (Zoom Contact Center)?

Yes. Call center staff must use a physical desk phone to take payments. The Secondary Secure Line (Option 1) is an excellent solution, as a secure line can be added to their existing physical phone, allowing them to take payments securely without needing a second device on their desk.

What if I need a phone with regular Zoom Phone features like call forwarding and voicemail?

This is the primary advantage of the Secondary Secure Line (Option 1) setup.

Your primary, personal WSU phone line on your physical desk phone remains fully featured (voicemail, call forwarding, call history, etc.). The secure payment line is simply a second line on that same device that has these features disabled for compliance. This avoids the clutter of needing two separate physical phones on your desk.

What are the alternatives to taking cardholder data by phone?

WSU Treasury Services manages credit card processing and PCI compliance for the university and can advise campus merchants on acceptable options.

Where can I find more information?


Need Help? You can submit a ticket from our Jira service desk: WSU Zoom Service Desk