[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?

[Robert-IPhone]

I'm in the same boat as you - and PCI compliance from the voice side (call) never crossed my mind

Sent from my iPhone 4S

On Dec 19, 2011, at 6:54 AM, Avi Marcus <Avi at GetBestFone.com> wrote:

> I'm planning on an IVR to accept credit card information for signing up and renewal of my services.
> Regarding fraud, I'm going to require at minimum a recording of name, who they are, or something or an actual live call.
> 
> But for PCI compliance.. this says https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf on page 9:
> Call centers will need to ensure that transmission of cardholder data across public networks is encrypted.
> This is part of PCI DSS Requirement 4 and includes:
> ...
> Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used. 
> Requiring agents to use analog telephone lines when a VoIP telephone system does not provide strong cryptography.
> I'm doing dtmf, not voice, but I can't imagine that's LESS strict.
> 
> I haven't really heard of any end-to-end encrypted origination lines. Is this guideline ignored? How do people deal with this? Does someone have T1 lines and offers encryption for origination...?
> 
> I would mostly need this in USA and Israel..
> 
> -Avi Marcus
> BestFone
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-biz/attachments/20111219/dc81da22/attachment.htm>