[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?
Robert-IPhone
rhuddleston at gmail.com
Mon Dec 19 08:53:35 CST 2011
Ya the audits and questions are stupid. My current PCI audit company and I got into a huge fight.
They wanted to audit the IP address of my office which is dynamic and not my servers.
Their questions were worded in such a way as to trap me.
But in the end I just answered everything as a yes or no (what they were looking for) and got a passing grade :)
Sent from my iPhone 4S
On Dec 19, 2011, at 7:46 AM, Alex Balashov <abalashov at evaristesys.com> wrote:
> You probably already know this, but there is no technical logic to the PCI guidelines. It is not a logical process, and the requirements are not conceived by people who really understand how technology and workflows in voice service delivery function. And, in general, if the auditors don't understand it--which they invariably don't--it's not compliant.
>
> So, for instance, with regard to DTMF, you could use SIP INFO for DTMF transition, and encrypt your signaling (say, with TLS) but not your media. Strictly speaking, that would be secure, since the credit card numbers do not appear either as RTP OOB events in the media stream, or in-band, but rather as signaling artifacts. However, this is way too clever for the kinds of people that get to define the compliance requirements.
>
> More generally, the assumption that PSTN analog or digital lines are inherently secure in ways that the public Internet is not is, of course, ridiculous. In fact, by many accounts, sniffing third-parties' packets is considerably more laborious a chore than bribing ILEC employees to assist in tapping circuits, or going to a junction box with a set of alligator clips. But, as I said, rhyme and reason is not part of the formula.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
More information about the asterisk-biz
mailing list