[Freeswitch-users] PCI Compliance Over Telephone for Credit Cards- how?

Avi Marcus avi at avimarcus.net
Mon Dec 19 14:52:29 MSK 2011


I'm planning on an IVR to accept credit card information for signing up and
renewal of my services.
Regarding fraud, I'm going to require at minimum a recording of name, who
they are, or something or an actual live call.

But for PCI compliance.. this says
https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf
on
page 9:

 Call centers will need to ensure that transmission of cardholder data
> across public networks is encrypted.
> This is part of PCI DSS Requirement 4 and includes:
>
>    - ...
>
>
>    - *Voice or data streams over Voice over IP (VoIP) telephone
>    systems, whenever sent over an open or public network. Note that only
>    those consumer or enterprise VoIP systems that provide strong
>    cryptography should be used. *
>
>
>    - Requiring agents to use analog telephone lines when a VoIP
>    telephone system does not provide strong cryptography.
>
>     I'm doing dtmf, not voice, but I can't imagine that's LESS strict.

I haven't really heard of any end-to-end encrypted origination lines. Is
this guideline ignored? How do people deal with this? Does someone have T1
lines and offers encryption for origination...?

-Avi Marcus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111219/59878ef3/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list