<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Just curious what other companies using FreeSWITCH and taking credit
    card over the phone are doing? there is no way you can be PCI
    compliant if you store the logs or CDRs, encrypted or not if it
    contains the CVV2. same goes for call recording. and iirc you can't
    use a regular voip line for credit cards (you have to use encryped
    linnes if it's voip)<br>
    <br>
    On 5/30/2012 5:25 PM, Avi Marcus wrote:
    <blockquote
cite="mid:CALNZuwkgYayNDfAtn94-e+oJsgmxS0SWABXzsHxHqwPYpYYaXw@mail.gmail.com"
      type="cite">
      <div dir="ltr">Mostly credit cards.. and anything you do with it,
        e.g. submit it via https to <a moz-do-not-send="true"
          href="http://authorize.net">authorize.net</a>, stripe, etc
        where then you don't need the actual number anymore.
        <div>So both the DTMF entry and the curl debug line. I can't
          think of anything else in particular.</div>
        <div><br clear="all">
          <div dir="ltr"><span
              style="font-family:Verdana,Arial,Helvetica,sans-serif"><span
                style="font-size:small">-Avi</span></span></div>
          <br>
          <div class="gmail_quote">On Wed, May 30, 2012 at 11:35 PM,
            Michael Collins <span dir="ltr">&lt;<a
                moz-do-not-send="true" href="mailto:msc@freeswitch.org"
                target="_blank">msc@freeswitch.org</a>&gt;</span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">Avi,<br>
              <br>
              Can you think of any other places where the FS logging in
              general might contain sensitive data? Reason I ask is that
              maybe we could create something like "pcidss=true" and
              then use that as a flag to disable logging anything that
              might be considered sensitive. Just a thought.<span
                class="HOEnZb"><font color="#888888"><br>
                  <br>
                  -MC</font></span>
              <div class="HOEnZb">
                <div class="h5"><br>
                  <br>
                  <div class="gmail_quote">On Wed, May 30, 2012 at 1:29
                    PM, Avi Marcus <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:avi@avimarcus.net" target="_blank">avi@avimarcus.net</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div class="gmail_quote">
                          <div>On Wed, May 30, 2012 at 11:18 PM, Michael
                            Collins <span dir="ltr">&lt;<a
                                moz-do-not-send="true"
                                href="mailto:msc@freeswitch.org"
                                target="_blank">msc@freeswitch.org</a>&gt;</span>
                            wrote:<br>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              How are you protecting everything else? If
                              the XML CDR is sent over HTTP instead of
                              HTTPS then everything about the call is
                              plain text.</blockquote>
                          </div>
                          <div>As far as I know, the only thing
                            sensitive in the xml_cdr is digits_dialed.</div>
                          <div>
                            <div> </div>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">And what
                              about the FS logs? Are you encrypting
                              those somehow? It seems to me that you
                              need a more comprehensive solution than
                              just scrubbing a single channel variable.
                              <br>
                            </blockquote>
                          </div>
                          <div>No, I'm not encrypting them.. because t
                            here wouldn't be anything sensitive. As far
                            as I can tell, the only issue is the DTMF in
                            DEBUG and the curl post message, again in
                            DEBUG. </div>
                          <div>
                            Since this is a lua IVR it seems nearly
                            nothing else makes it into the log.
                            Only api:execute("curl",...) is in the log
                            because it's not a native direct curl
                            command (like session:playandgetdigits())</div>
                          <div>
                            <div> </div>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">However, if
                              you need an interim solution I would
                              suggest commenting out the line that sets
                              digits_dialed:<br>
                              <a moz-do-not-send="true"
href="http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_channel.c?r=HEAD#to3912"
                                target="_blank">http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_channel.c?r=HEAD#to3912</a><br>
                              <br>
                              A more permanent solution might be to
                              create a channel variable that controls
                              whether stuff like this gets logged.
                              Something like "no_dtmf_logging=true" or
                              whatever. That's a bit more involved
                              because you have to decide if there are
                              other places where DTMF info gets logged
                              and if so, decide whether or not you want
                              not to log them. <br>
                            </blockquote>
                          </div>
                          <div>That's an interesting idea... it might be
                            more encompassing to have a loglevel=X
                            channel variable instead that affects the
                            logging for that channel. But this is
                            probably overkill...</div>
                          <div>
                            <div>
                              <blockquote class="gmail_quote"
                                style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">
                                <br>
                                What would be the ideal solution for
                                your scenario? That answer might yield
                                the best course of action.<span><font
                                    color="#888888"><br>
                                    -MC</font></span>
                                <div>
                                  <div><br>
                                    <br>
                                    <div class="gmail_quote">
                                      On Wed, May 30, 2012 at 11:20 AM,
                                      Avi Marcus <span dir="ltr">&lt;<a
                                          moz-do-not-send="true"
                                          href="mailto:avi@avimarcus.net"
                                          target="_blank">avi@avimarcus.net</a>&gt;</span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote"
                                        style="margin:0 0 0
                                        .8ex;border-left:1px #ccc
                                        solid;padding-left:1ex">
                                        <div dir="ltr">The PCI-DSS
                                          (Payment Card Industry Data
                                          Security Standard) requires
                                          encryption, not merely
                                          permission restriction, for
                                          sensitive data. Hence I'm
                                          looking at the DTMF logging
                                          which can probably be easily
                                          re-patterned back into the
                                          digits, the curl POST which
                                          also shows everything in the
                                          log, the dialed_digits in a
                                          standard xml_cdr.. 
                                          <div>
                                            Otherwise, afaik, lua won't
                                            log things unless you
                                            explicitly tell it to.</div>
                                          <div><br>
                                          </div>
                                          <div>Any suggestions other
                                            than setting the entire
                                            switch to fsctl loglevel 6
                                            and not storing the xml_cdrs
                                            in their raw form?</div>
                                          <div><br clear="all">
                                            <div dir="ltr"><span
                                                style="font-family:Verdana,Arial,Helvetica,sans-serif"><span
style="font-size:small">-Avi</span></span></div>
                                            <br>
                                            <div class="gmail_quote">On
                                              Wed, May 30, 2012 at 8:11
                                              PM, Michael Collins <span
                                                dir="ltr">&lt;<a
                                                  moz-do-not-send="true"
href="mailto:msc@freeswitch.org" target="_blank">msc@freeswitch.org</a>&gt;</span>
                                              wrote:<br>
                                              <blockquote
                                                class="gmail_quote"
                                                style="margin:0 0 0
                                                .8ex;border-left:1px
                                                #ccc
                                                solid;padding-left:1ex">If
                                                it's a compliance issue
                                                then I'd triple-check to
                                                make sure that no one
                                                unauthorized can get to
                                                any of your FS logs or
                                                CDR data. I suspect that
                                                logging vs. not logging
                                                dialed_digits is not a
                                                make-or-break
                                                proposition. If you're
                                                doing xml_cdrs then
                                                you've probably got that
                                                same data in other log
                                                lines.<span><font
                                                    color="#888888"><br>
                                                    <br>
                                                    -MC</font></span>
                                                <div>
                                                  <div><br>
                                                    <br>
                                                    <div
                                                      class="gmail_quote">On
                                                      Wed, May 30, 2012
                                                      at 9:08 AM,
                                                      Patrick Lists <span
                                                        dir="ltr">&lt;<a
moz-do-not-send="true" href="mailto:freeswitch-list@puzzled.xs4all.nl"
                                                          target="_blank">freeswitch-list@puzzled.xs4all.nl</a>&gt;</span>
                                                      wrote:<br>
                                                      <blockquote
                                                        class="gmail_quote"
                                                        style="margin:0
                                                        0 0
                                                        .8ex;border-left:1px
                                                        #ccc
                                                        solid;padding-left:1ex">On
                                                        30-05-12 17:48,
                                                        Michael Collins
                                                        wrote:<br>
                                                        &gt;     And..
                                                        similarly is
                                                        there a way to
                                                        blank out the
                                                        var
                                                        digits_dialed in<br>
                                                        &gt;     the
                                                        xml_cdr, from
                                                        within FS,
                                                        before the end
                                                        of the call?<br>
                                                        &gt;<br>
                                                        &gt; Why do you
                                                        need to clear it
                                                        out? What
                                                        information does
                                                        it collect that<br>
                                                        &gt; you don't
                                                        need?<br>
                                                        <br>
                                                        Since it's
                                                        credit card data
                                                        I can imagine
                                                        Avi does not
                                                        want it logged<br>
                                                        for security
                                                        purposes.<br>
                                                        <br>
                                                        Regards,<br>
                                                        Patrick<br>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                  </div>
                                                </div>
                                                <br>
_________________________________________________________________________<br>
                                                Professional FreeSWITCH
                                                Consulting Services:<br>
                                                <a
                                                  moz-do-not-send="true"
href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
                                                <a
                                                  moz-do-not-send="true"
href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
                                                <br>
                                                FreeSWITCH-powered IP
                                                PBX: The CudaTel
                                                Communication Server<br>
                                                <a
                                                  moz-do-not-send="true"
href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
                                                <br>
                                                Official FreeSWITCH
                                                Sites<br>
                                                <a
                                                  moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
                                                <a
                                                  moz-do-not-send="true"
href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
                                                <a
                                                  moz-do-not-send="true"
href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
                                                <br>
                                                Join Us At ClueCon - Aug
                                                7-9, 2012<br>
                                                <br>
                                                FreeSWITCH-users mailing
                                                list<br>
                                                <a
                                                  moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
                                                <a
                                                  moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
                                                  target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
                                                UNSUBSCRIBE:<a
                                                  moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
                                                  target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
                                                <a
                                                  moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
                                                <br>
                                              </blockquote>
                                            </div>
                                            <br>
                                          </div>
                                        </div>
                                        <br>
_________________________________________________________________________<br>
                                        Professional FreeSWITCH
                                        Consulting Services:<br>
                                        <a moz-do-not-send="true"
                                          href="mailto:consulting@freeswitch.org"
                                          target="_blank">consulting@freeswitch.org</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://www.freeswitchsolutions.com"
                                          target="_blank">http://www.freeswitchsolutions.com</a><br>
                                        <br>
                                        FreeSWITCH-powered IP PBX: The
                                        CudaTel Communication Server<br>
                                        <a moz-do-not-send="true"
                                          href="http://www.cudatel.com"
                                          target="_blank">http://www.cudatel.com</a><br>
                                        <br>
                                        Official FreeSWITCH Sites<br>
                                        <a moz-do-not-send="true"
                                          href="http://www.freeswitch.org"
                                          target="_blank">http://www.freeswitch.org</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://wiki.freeswitch.org"
                                          target="_blank">http://wiki.freeswitch.org</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://www.cluecon.com"
                                          target="_blank">http://www.cluecon.com</a><br>
                                        <br>
                                        Join Us At ClueCon - Aug 7-9,
                                        2012<br>
                                        <br>
                                        FreeSWITCH-users mailing list<br>
                                        <a moz-do-not-send="true"
                                          href="mailto:FreeSWITCH-users@lists.freeswitch.org"
                                          target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
                                          target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
                                        UNSUBSCRIBE:<a
                                          moz-do-not-send="true"
                                          href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
                                          target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://www.freeswitch.org"
                                          target="_blank">http://www.freeswitch.org</a><br>
                                        <br>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </div>
                                <br>
_________________________________________________________________________<br>
                                Professional FreeSWITCH Consulting
                                Services:<br>
                                <a moz-do-not-send="true"
                                  href="mailto:consulting@freeswitch.org"
                                  target="_blank">consulting@freeswitch.org</a><br>
                                <a moz-do-not-send="true"
                                  href="http://www.freeswitchsolutions.com"
                                  target="_blank">http://www.freeswitchsolutions.com</a><br>
                                <br>
                                FreeSWITCH-powered IP PBX: The CudaTel
                                Communication Server<br>
                                <a moz-do-not-send="true"
                                  href="http://www.cudatel.com"
                                  target="_blank">http://www.cudatel.com</a><br>
                                <br>
                                Official FreeSWITCH Sites<br>
                                <a moz-do-not-send="true"
                                  href="http://www.freeswitch.org"
                                  target="_blank">http://www.freeswitch.org</a><br>
                                <a moz-do-not-send="true"
                                  href="http://wiki.freeswitch.org"
                                  target="_blank">http://wiki.freeswitch.org</a><br>
                                <a moz-do-not-send="true"
                                  href="http://www.cluecon.com"
                                  target="_blank">http://www.cluecon.com</a><br>
                                <br>
                                Join Us At ClueCon - Aug 7-9, 2012<br>
                                <br>
                                FreeSWITCH-users mailing list<br>
                                <a moz-do-not-send="true"
                                  href="mailto:FreeSWITCH-users@lists.freeswitch.org"
                                  target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
                                <a moz-do-not-send="true"
                                  href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
                                  target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
                                UNSUBSCRIBE:<a moz-do-not-send="true"
                                  href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
                                  target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
                                <a moz-do-not-send="true"
                                  href="http://www.freeswitch.org"
                                  target="_blank">http://www.freeswitch.org</a><br>
                                <br>
                              </blockquote>
                            </div>
                          </div>
                        </div>
                        <br>
                      </div>
                      <br>
_________________________________________________________________________<br>
                      Professional FreeSWITCH Consulting Services:<br>
                      <a moz-do-not-send="true"
                        href="mailto:consulting@freeswitch.org"
                        target="_blank">consulting@freeswitch.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://www.freeswitchsolutions.com"
                        target="_blank">http://www.freeswitchsolutions.com</a><br>
                      <br>
                      FreeSWITCH-powered IP PBX: The CudaTel
                      Communication Server<br>
                      <a moz-do-not-send="true"
                        href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
                      <br>
                      Official FreeSWITCH Sites<br>
                      <a moz-do-not-send="true"
                        href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://wiki.freeswitch.org"
                        target="_blank">http://wiki.freeswitch.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
                      <br>
                      Join Us At ClueCon - Aug 7-9, 2012<br>
                      <br>
                      FreeSWITCH-users mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:FreeSWITCH-users@lists.freeswitch.org"
                        target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
                        target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
                      UNSUBSCRIBE:<a moz-do-not-send="true"
                        href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
                        target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
                      <a moz-do-not-send="true"
                        href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
              <br>
_________________________________________________________________________<br>
              Professional FreeSWITCH Consulting Services:<br>
              <a moz-do-not-send="true"
                href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
              <a moz-do-not-send="true"
                href="http://www.freeswitchsolutions.com"
                target="_blank">http://www.freeswitchsolutions.com</a><br>
              <br>
              FreeSWITCH-powered IP PBX: The CudaTel Communication
              Server<br>
              <a moz-do-not-send="true" href="http://www.cudatel.com"
                target="_blank">http://www.cudatel.com</a><br>
              <br>
              Official FreeSWITCH Sites<br>
              <a moz-do-not-send="true" href="http://www.freeswitch.org"
                target="_blank">http://www.freeswitch.org</a><br>
              <a moz-do-not-send="true"
                href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
              <a moz-do-not-send="true" href="http://www.cluecon.com"
                target="_blank">http://www.cluecon.com</a><br>
              <br>
              Join Us At ClueCon - Aug 7-9, 2012<br>
              <br>
              FreeSWITCH-users mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
              <a moz-do-not-send="true"
                href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
                target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
              UNSUBSCRIBE:<a moz-do-not-send="true"
                href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
                target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
              <a moz-do-not-send="true" href="http://www.freeswitch.org"
                target="_blank">http://www.freeswitch.org</a><br>
              <br>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>

Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>

Join Us At ClueCon - Aug 7-9, 2012

FreeSWITCH-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>