[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?

[Alex Balashov]

You probably already know this, but there is no technical logic to the 
PCI guidelines.  It is not a logical process, and the requirements are 
not conceived by people who really understand how technology and 
workflows in voice service delivery function.  And, in general, if the 
auditors don't understand it--which they invariably don't--it's not 
compliant.

So, for instance, with regard to DTMF, you could use SIP INFO for DTMF 
transition, and encrypt your signaling (say, with TLS) but not your 
media.  Strictly speaking, that would be secure, since the credit card 
numbers do not appear either as RTP OOB events in the media stream, or 
in-band, but rather as signaling artifacts.  However, this is way too 
clever for the kinds of people that get to define the compliance 
requirements.

More generally, the assumption that PSTN analog or digital lines are 
inherently secure in ways that the public Internet is not is, of 
course, ridiculous.  In fact, by many accounts, sniffing 
third-parties' packets is considerably more laborious a chore than 
bribing ILEC employees to assist in tapping circuits, or going to a 
junction box with a set of alligator clips.  But, as I said, rhyme and 
reason is not part of the formula.

-- 
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/