dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
624
share rss forum feed

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:13
Reviews:
·AcroVoice
·Callcentric
·Anveo
·Shaw

1 edit

VoIP and PCI Compliance

I just read this and thought it would make a good discussion. Relevant portions quoted from »www.pcisecuritystandards.org/doc···data.pdf. Note that the internet is considered a "public network".

Call centers will need to ensure that transmission of cardholder data across public networks is encrypted. This is part of PCI DSS Requirement 4 and includes:

Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:

Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used.

 
I've never encrypted VoIP traffic as I thought the overhead would come with more disadvantages than advantages. I can't think of a way to intercept a VoIP call without compromising either the service provider's system, or the customer's system. If I have access to either of those, encryption is pretty much irrelevant because I could just turn it off.

Even if I did encrypt my VoIP traffic, I have no way of knowing if my service provider encrypts communications between them and the carrier, which is probably over the internet. If I were particularly concerned about security, I would rather have my VoIP equipment behind a firewall, change all default passwords to strong ones, not allow untrusted devices on my local network, and make sure my equipment is physically secure.

Does anyone here regularly work with encryption for VoIP, or has your VoIP system gone through PCI validation?

thebig

join:2002-11-18
Hamilton, ON

1 recommendation

The way I read it they use the word "should" meaning not fully required. They way I understand it, it's not so much your phone line that needs to be encrypted as that data is never at rest. It's the audio recording that the call center would be doing, since that data will be at rest it must be encrypted. If you can show your 100% compliant in all other ways you should pass your audit with ease, but you should really speak with the auditor.

This guys has a decent read and some good tips. »pciguru.wordpress.com/2011/06/07···pliance/