[Freeswitch-users] PCI Compliance Over Telephone for Credit Cards- how?

Saugort Dario Garcia Tovar dgarcia at anew.com.ve
Mon Dec 19 23:04:23 MSK 2011 

Avi,

You have not many options.

Firtst, tell us about your architecture.

Second, about TDM, there is some options but it when you use T1/E1 to 
transmit data; but for voice, perhaps, the only option is:  no 
encryption. For voice, like mobile and fix phones, the technology used, 
it does not offer a way to do it. Exist mechanism to use tuneling and 
some security between sites when a private link between premises are 
used but it is basically use a T1/E1 data to transport voice, and it 
depend on equipments and providers.

Third, if you have a VoIP provider, there is some options like as 
mention before: TLS, SRTP and SIPS.

Fourth, You have to worried when you have the call in your control, 
"surfing" in your IVR and start to manage sensible data (PIN, account 
numbers, login, passwords, etc). How to encrypt/decrypt them as long the 
call exist: you need to use sensible data with other systems inside and 
outside of your organization.



On 12/19/2011 3:04 PM, Avi Marcus wrote:
> Encrypting yourself only helps if you have a T1/BRI whatever private 
> link to the telco. I don't.. what are my options?
> -Avi
>
> On Mon, Dec 19, 2011 at 9:28 PM, Elliott Vogel <elliott at zoogmedia.com 
> <mailto:elliott at zoogmedia.com>> wrote:
>
>     I haven’t seen a company yet and I have searched – none of the big
>     origination providers do and many of the smaller ones use the big
>     providers – we are force to do our own encoding
>
>     *From:*freeswitch-users-bounces at lists.freeswitch.org
>     <mailto:freeswitch-users-bounces at lists.freeswitch.org>
>     [mailto:freeswitch-users-bounces at lists.freeswitch.org
>     <mailto:freeswitch-users-bounces at lists.freeswitch.org>] *On Behalf
>     Of *Avi Marcus
>     *Sent:* Monday, December 19, 2011 12:03 PM
>     *To:* FreeSWITCH Users Help
>     *Subject:* Re: [Freeswitch-users] PCI Compliance Over Telephone
>     for Credit Cards- how?
>
>     So is there a provider for USA who takes T1 and encrypts it, so I
>     can buy origination from them?
>
>
>     -Avi
>
>     On Mon, Dec 19, 2011 at 7:39 PM, Elliott Vogel
>     <elliott at zoogmedia.com <mailto:elliott at zoogmedia.com>> wrote:
>
>     Well, I have worked a lot with PCI compliance in the past and I
>     don’t think you can meet the requirements of encryption if you’re
>     not doing encoding yourself because most voip service providers
>     aren’t encrypting the calls.  Also dtmf has the same for
>     requirements and for T1 not being encrypted this is true but
>     because the network is considered secured(funny)/private it’s
>     doesn’t need to be – now if you would encapsulate t1 traffic to
>     send it over the internet without encrypting it this would be
>     unsecured.
>
>     *From:*freeswitch-users-bounces at lists.freeswitch.org
>     <mailto:freeswitch-users-bounces at lists.freeswitch.org>
>     [mailto:freeswitch-users-bounces at lists.freeswitch.org
>     <mailto:freeswitch-users-bounces at lists.freeswitch.org>] *On Behalf
>     Of *Avi Marcus
>     *Sent:* Monday, December 19, 2011 5:52 AM
>     *To:* FreeSWITCH Users Help
>     *Subject:* [Freeswitch-users] PCI Compliance Over Telephone for
>     Credit Cards- how?
>
>     I'm planning on an IVR to accept credit card information for
>     signing up and renewal of my services.
>
>     Regarding fraud, I'm going to require at minimum a recording of
>     name, who they are, or something or an actual live call.
>
>     But for PCI compliance.. this says
>     https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf on
>     page 9:
>
>         Call centers will need to ensure that transmission of
>         cardholder data across public networks is encrypted.
>         This is part of PCI DSS Requirement 4 and includes:
>
>           * ...
>
>           * *Voice or data streams over Voice over IP (VoIP) telephone
>             systems, whenever sent over an open or public network.
>             Note that only those consumer or enterprise VoIP systems
>             that provide strong cryptography should be used. *
>
>           * Requiring agents to use analog telephone lines when a VoIP
>             telephone system does not provide strong cryptography.
>
>     I'm doing dtmf, not voice, but I can't imagine that's LESS strict.
>
>     I haven't really heard of any end-to-end encrypted origination
>     lines. Is this guideline ignored? How do people deal with this?
>     Does someone have T1 lines and offers encryption for origination...?
>
>
>     -Avi Marcus
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> No virus found in this message.
> Checked by AVG - www.avg.com <http://www.avg.com>
> Version: 2012.0.1890 / Virus Database: 2108/4690 - Release Date: 12/19/11
>


-- 
Atentamente,
*Dario García*
Consultor.

CCCT, Nivel C2, Sector Yarey, Mz,
Ofc. MZ03a.
Caracas-Venezuela.
Teléfono: +58 212 9081842
Cel: +58 412 2221515
dgarcia at anew.com.ve
http://www.anew.com.ve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111219/f5c6ad44/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list