[Freeswitch-users] PCI Compliance Over Telephone for Credit Cards- how?

Saugort Dario Garcia Tovar dgarcia at anew.com.ve
Mon Dec 19 15:54:24 MSK 2011


Hi,

Your questin is quite difficult to answer because depend on your country 
laws.

About public network, I think you are concern about TDM service (PSTN).  
Well, as always, some stuff are not considered by the people who made 
some laws.

Well, in my country customer are encouraged to deploy cross-systems. For 
example, PIN number is set by internet (where you can implement all 
crypting available). By phone in TDM no crypting, ( and by VoIP you have 
to implement SIPS and SRTP, TLS at least) then very strong set of 
questions/answer to do a positive verification of the caller.

Of course, where you have to put encryption and security is inside of 
your systems, and deploy a good system control to control and manage 
your sensible data.

Take a look this links:
http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:voip:tls_sips_rtps

and

http://www.vadese.org/files/upload/Best_practices_VoIP_en_v20.pdf

I hope this helps


On 12/19/2011 7:22 AM, Avi Marcus wrote:
> I'm planning on an IVR to accept credit card information for signing 
> up and renewal of my services.
> Regarding fraud, I'm going to require at minimum a recording of name, 
> who they are, or something or an actual live call.
>
> But for PCI compliance.. this says 
> https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf on 
> page 9:
>
>     Call centers will need to ensure that transmission of cardholder
>     data across public networks is encrypted.
>     This is part of PCI DSS Requirement 4 and includes:
>
>       * ...
>
>       * *Voice or data streams over Voice over IP (VoIP) telephone
>         systems, whenever sent over an open or public network. Note
>         that only those consumer or enterprise VoIP systems that
>         provide strong cryptography should be used. *
>
>       * Requiring agents to use analog telephone lines when a VoIP
>         telephone system does not provide strong cryptography.
>
> I'm doing dtmf, not voice, but I can't imagine that's LESS strict.
>
> I haven't really heard of any end-to-end encrypted origination lines. 
> Is this guideline ignored? How do people deal with this? Does someone 
> have T1 lines and offers encryption for origination...?
>
> -Avi Marcus
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> No virus found in this message.
> Checked by AVG - www.avg.com <http://www.avg.com>
> Version: 2012.0.1890 / Virus Database: 2108/4684 - Release Date: 12/16/11
>


-- 
Atentamente,
*Dario García*
Consultor.

CCCT, Nivel C2, Sector Yarey, Mz,
Ofc. MZ03a.
Caracas-Venezuela.
Teléfono: +58 212 9081842
Cel: +58 412 2221515
dgarcia at anew.com.ve
http://www.anew.com.ve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111219/fb4634fb/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list