[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?

Avi Marcus Avi at GetBestFone.com
Mon Dec 19 05:54:27 CST 2011


I'm planning on an IVR to accept credit card information for signing up and
renewal of my services.
Regarding fraud, I'm going to require at minimum a recording of name, who
they are, or something or an actual live call.

But for PCI compliance.. this says
https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf
on
page 9:

 Call centers will need to ensure that transmission of cardholder data
> across public networks is encrypted.
> This is part of PCI DSS Requirement 4 and includes:
>
>    - ...
>
>
>    - *Voice or data streams over Voice over IP (VoIP) telephone
>    systems, whenever sent over an open or public network. Note that only
>    those consumer or enterprise VoIP systems that provide strong
>    cryptography should be used. *
>
>
>    - Requiring agents to use analog telephone lines when a VoIP
>    telephone system does not provide strong cryptography.
>
>     I'm doing dtmf, not voice, but I can't imagine that's LESS strict.

I haven't really heard of any end-to-end encrypted origination lines. Is
this guideline ignored? How do people deal with this? Does someone have T1
lines and offers encryption for origination...?

I would mostly need this in USA and Israel..

-Avi Marcus
BestFone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-biz/attachments/20111219/01f8179c/attachment-0001.htm>


More information about the asterisk-biz mailing list