I just read this and thought it would make a good discussion. Relevant portions quoted from »www.pcisecuritystandards.org/doc···data.pdf
. Note that the internet is considered a "public network".
Call centers will need to ensure that transmission of cardholder data across public networks is encrypted. This is part of PCI DSS Requirement 4 and includes:
Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:
Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used.
I've never encrypted VoIP traffic as I thought the overhead would come with more disadvantages than advantages. I can't think of a way to intercept a VoIP call without compromising either the service provider's system, or the customer's system. If I have access to either of those, encryption is pretty much irrelevant because I could just turn it off.
Even if I did encrypt my VoIP traffic, I have no way of knowing if my service provider encrypts communications between them and the carrier, which is probably over the internet. If I were particularly concerned about security, I would rather have my VoIP equipment behind a firewall, change all default passwords to strong ones, not allow untrusted devices on my local network, and make sure my equipment is physically secure.
Does anyone here regularly work with encryption for VoIP, or has your VoIP system gone through PCI validation?