[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?
Avi Marcus
Avi at GetBestFone.com
Mon Dec 19 05:54:27 CST 2011
I'm planning on an IVR to accept credit card information for signing up and
renewal of my services.
Regarding fraud, I'm going to require at minimum a recording of name, who
they are, or something or an actual live call.
But for PCI compliance.. this says
https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf
on
page 9:
Call centers will need to ensure that transmission of cardholder data
> across public networks is encrypted.
> This is part of PCI DSS Requirement 4 and includes:
>
> - ...
>
>
> - *Voice or data streams over Voice over IP (VoIP) telephone
> systems, whenever sent over an open or public network. Note that only
> those consumer or enterprise VoIP systems that provide strong
> cryptography should be used. *
>
>
> - Requiring agents to use analog telephone lines when a VoIP
> telephone system does not provide strong cryptography.
>
> I'm doing dtmf, not voice, but I can't imagine that's LESS strict.
I haven't really heard of any end-to-end encrypted origination lines. Is
this guideline ignored? How do people deal with this? Does someone have T1
lines and offers encryption for origination...?
I would mostly need this in USA and Israel..
-Avi Marcus
BestFone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-biz/attachments/20111219/01f8179c/attachment-0001.htm>
More information about the asterisk-biz
mailing list