[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?

[Carlos Rojas]

Heloo

You need TLS service in asterisk and your clients, but only few ip gatewais
do it.

Regards
On Dec 19, 2011 6:55 AM, "Avi Marcus" <Avi at getbestfone.com> wrote:

> I'm planning on an IVR to accept credit card information for signing up
> and renewal of my services.
> Regarding fraud, I'm going to require at minimum a recording of name, who
> they are, or something or an actual live call.
>
> But for PCI compliance.. this says
> https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf on
> page 9:
>
>>  Call centers will need to ensure that transmission of cardholder data
>> across public networks is encrypted.
>> This is part of PCI DSS Requirement 4 and includes:
>>
>>    - ...
>>
>>
>>    - *Voice or data streams over Voice over IP (VoIP) telephone
>>    systems, whenever sent over an open or public network. Note that only
>>    those consumer or enterprise VoIP systems that provide strong
>>    cryptography should be used. *
>>
>>
>>    - Requiring agents to use analog telephone lines when a VoIP
>>    telephone system does not provide strong cryptography.
>>
>>     I'm doing dtmf, not voice, but I can't imagine that's LESS strict.
>
> I haven't really heard of any end-to-end encrypted origination lines. Is
> this guideline ignored? How do people deal with this? Does someone have T1
> lines and offers encryption for origination...?
>
> I would mostly need this in USA and Israel..
>
> -Avi Marcus
> BestFone
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-biz/attachments/20111219/c2ff97e8/attachment.htm>