[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?
Avi Marcus
Avi at GetBestFone.com
Mon Dec 19 06:56:14 CST 2011
Ah I forgot that SIP INFO for DTMF and TLS would be enough... but maybe not
for the guidelines..
And yes, it's possible to con/bribe/hack the telco's.. but since the calls
are going over the PSTN anyway, you remove the entire "public" part of the
call from being open. I presume it's at least better if that's the only
opening..
-Avi Marcus
BestFone
On Mon, Dec 19, 2011 at 2:46 PM, Alex Balashov <abalashov at evaristesys.com>wrote:
> You probably already know this, but there is no technical logic to the PCI
> guidelines. It is not a logical process, and the requirements are not
> conceived by people who really understand how technology and workflows in
> voice service delivery function. And, in general, if the auditors don't
> understand it--which they invariably don't--it's not compliant.
>
> So, for instance, with regard to DTMF, you could use SIP INFO for DTMF
> transition, and encrypt your signaling (say, with TLS) but not your media.
> Strictly speaking, that would be secure, since the credit card numbers do
> not appear either as RTP OOB events in the media stream, or in-band, but
> rather as signaling artifacts. However, this is way too clever for the
> kinds of people that get to define the compliance requirements.
>
> More generally, the assumption that PSTN analog or digital lines are
> inherently secure in ways that the public Internet is not is, of course,
> ridiculous. In fact, by many accounts, sniffing third-parties' packets is
> considerably more laborious a chore than bribing ILEC employees to assist
> in tapping circuits, or going to a junction box with a set of alligator
> clips. But, as I said, rhyme and reason is not part of the formula.
>
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
> --
> ______________________________**______________________________**_________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/**mailman/listinfo/asterisk-biz<http://lists.digium.com/mailman/listinfo/asterisk-biz>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-biz/attachments/20111219/00785135/attachment.htm>
More information about the asterisk-biz
mailing list