<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Just curious what other companies using FreeSWITCH and taking credit
card over the phone are doing? there is no way you can be PCI
compliant if you store the logs or CDRs, encrypted or not if it
contains the CVV2. same goes for call recording. and iirc you can't
use a regular voip line for credit cards (you have to use encryped
linnes if it's voip)<br>
<br>
On 5/30/2012 5:25 PM, Avi Marcus wrote:
<blockquote
cite="mid:CALNZuwkgYayNDfAtn94-e+oJsgmxS0SWABXzsHxHqwPYpYYaXw@mail.gmail.com"
type="cite">
<div dir="ltr">Mostly credit cards.. and anything you do with it,
e.g. submit it via https to <a moz-do-not-send="true"
href="http://authorize.net">authorize.net</a>, stripe, etc
where then you don't need the actual number anymore.
<div>So both the DTMF entry and the curl debug line. I can't
think of anything else in particular.</div>
<div><br clear="all">
<div dir="ltr"><span
style="font-family:Verdana,Arial,Helvetica,sans-serif"><span
style="font-size:small">-Avi</span></span></div>
<br>
<div class="gmail_quote">On Wed, May 30, 2012 at 11:35 PM,
Michael Collins <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:msc@freeswitch.org"
target="_blank">msc@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Avi,<br>
<br>
Can you think of any other places where the FS logging in
general might contain sensitive data? Reason I ask is that
maybe we could create something like "pcidss=true" and
then use that as a flag to disable logging anything that
might be considered sensitive. Just a thought.<span
class="HOEnZb"><font color="#888888"><br>
<br>
-MC</font></span>
<div class="HOEnZb">
<div class="h5"><br>
<br>
<div class="gmail_quote">On Wed, May 30, 2012 at 1:29
PM, Avi Marcus <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:avi@avimarcus.net" target="_blank">avi@avimarcus.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_quote">
<div>On Wed, May 30, 2012 at 11:18 PM, Michael
Collins <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:msc@freeswitch.org"
target="_blank">msc@freeswitch.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
How are you protecting everything else? If
the XML CDR is sent over HTTP instead of
HTTPS then everything about the call is
plain text.</blockquote>
</div>
<div>As far as I know, the only thing
sensitive in the xml_cdr is digits_dialed.</div>
<div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">And what
about the FS logs? Are you encrypting
those somehow? It seems to me that you
need a more comprehensive solution than
just scrubbing a single channel variable.
<br>
</blockquote>
</div>
<div>No, I'm not encrypting them.. because t
here wouldn't be anything sensitive. As far
as I can tell, the only issue is the DTMF in
DEBUG and the curl post message, again in
DEBUG. </div>
<div>
Since this is a lua IVR it seems nearly
nothing else makes it into the log.
Only api:execute("curl",...) is in the log
because it's not a native direct curl
command (like session:playandgetdigits())</div>
<div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">However, if
you need an interim solution I would
suggest commenting out the line that sets
digits_dialed:<br>
<a moz-do-not-send="true"
href="http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_channel.c?r=HEAD#to3912"
target="_blank">http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_channel.c?r=HEAD#to3912</a><br>
<br>
A more permanent solution might be to
create a channel variable that controls
whether stuff like this gets logged.
Something like "no_dtmf_logging=true" or
whatever. That's a bit more involved
because you have to decide if there are
other places where DTMF info gets logged
and if so, decide whether or not you want
not to log them. <br>
</blockquote>
</div>
<div>That's an interesting idea... it might be
more encompassing to have a loglevel=X
channel variable instead that affects the
logging for that channel. But this is
probably overkill...</div>
<div>
<div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<br>
What would be the ideal solution for
your scenario? That answer might yield
the best course of action.<span><font
color="#888888"><br>
-MC</font></span>
<div>
<div><br>
<br>
<div class="gmail_quote">
On Wed, May 30, 2012 at 11:20 AM,
Avi Marcus <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:avi@avimarcus.net"
target="_blank">avi@avimarcus.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">The PCI-DSS
(Payment Card Industry Data
Security Standard) requires
encryption, not merely
permission restriction, for
sensitive data. Hence I'm
looking at the DTMF logging
which can probably be easily
re-patterned back into the
digits, the curl POST which
also shows everything in the
log, the dialed_digits in a
standard xml_cdr..
<div>
Otherwise, afaik, lua won't
log things unless you
explicitly tell it to.</div>
<div><br>
</div>
<div>Any suggestions other
than setting the entire
switch to fsctl loglevel 6
and not storing the xml_cdrs
in their raw form?</div>
<div><br clear="all">
<div dir="ltr"><span
style="font-family:Verdana,Arial,Helvetica,sans-serif"><span
style="font-size:small">-Avi</span></span></div>
<br>
<div class="gmail_quote">On
Wed, May 30, 2012 at 8:11
PM, Michael Collins <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:msc@freeswitch.org" target="_blank">msc@freeswitch.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">If
it's a compliance issue
then I'd triple-check to
make sure that no one
unauthorized can get to
any of your FS logs or
CDR data. I suspect that
logging vs. not logging
dialed_digits is not a
make-or-break
proposition. If you're
doing xml_cdrs then
you've probably got that
same data in other log
lines.<span><font
color="#888888"><br>
<br>
-MC</font></span>
<div>
<div><br>
<br>
<div
class="gmail_quote">On
Wed, May 30, 2012
at 9:08 AM,
Patrick Lists <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:freeswitch-list@puzzled.xs4all.nl"
target="_blank">freeswitch-list@puzzled.xs4all.nl</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">On
30-05-12 17:48,
Michael Collins
wrote:<br>
> And..
similarly is
there a way to
blank out the
var
digits_dialed in<br>
> the
xml_cdr, from
within FS,
before the end
of the call?<br>
><br>
> Why do you
need to clear it
out? What
information does
it collect that<br>
> you don't
need?<br>
<br>
Since it's
credit card data
I can imagine
Avi does not
want it logged<br>
for security
purposes.<br>
<br>
Regards,<br>
Patrick<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH
Consulting Services:<br>
<a
moz-do-not-send="true"
href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a
moz-do-not-send="true"
href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP
PBX: The CudaTel
Communication Server<br>
<a
moz-do-not-send="true"
href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH
Sites<br>
<a
moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a
moz-do-not-send="true"
href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a
moz-do-not-send="true"
href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
Join Us At ClueCon - Aug
7-9, 2012<br>
<br>
FreeSWITCH-users mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a
moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a
moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH
Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org"
target="_blank">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com"
target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The
CudaTel Communication Server<br>
<a moz-do-not-send="true"
href="http://www.cudatel.com"
target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://wiki.freeswitch.org"
target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
Join Us At ClueCon - Aug 7-9,
2012<br>
<br>
FreeSWITCH-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org"
target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a
moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting
Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org"
target="_blank">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com"
target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel
Communication Server<br>
<a moz-do-not-send="true"
href="http://www.cudatel.com"
target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://wiki.freeswitch.org"
target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
Join Us At ClueCon - Aug 7-9, 2012<br>
<br>
FreeSWITCH-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org"
target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org"
target="_blank">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com"
target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel
Communication Server<br>
<a moz-do-not-send="true"
href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://wiki.freeswitch.org"
target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
Join Us At ClueCon - Aug 7-9, 2012<br>
<br>
FreeSWITCH-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org"
target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com"
target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication
Server<br>
<a moz-do-not-send="true" href="http://www.cudatel.com"
target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true" href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
Join Us At ClueCon - Aug 7-9, 2012<br>
<br>
FreeSWITCH-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
Join Us At ClueCon - Aug 7-9, 2012
FreeSWITCH-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</body>
</html>