[asterisk-biz] PCI Compliance for Credit Cards Over the Phone - how?
Alex Balashov
abalashov at evaristesys.com
Mon Dec 19 07:09:10 CST 2011
On 12/19/2011 07:56 AM, Avi Marcus wrote:
> Ah I forgot that SIP INFO for DTMF and TLS would be enough... but
> maybe not for the guidelines..
The guidelines suffer from a severe lack of precision, and general
lack of awareness of the variety of implementational possibilities.
> And yes, it's possible to con/bribe/hack the telco's.. but since the
> calls are going over the PSTN anyway, you remove the entire "public"
> part of the call from being open. I presume it's at least better if
> that's the only opening..
Yes, but my argument was that the PSTN part is not so materially less
"public". :-) Another thing to consider is that the technology to
tap traditional PSTN circuits has been around for decades; the
options are both more better-established and "low-tech".
As I always tell people, if I had something to hide and knew that
someone was looking to wiretap me, I would take my chances with an
unencrypted VoIP call over the public Internet any day over the PSTN.
Techniques for tapping the PSTN are just so much more
well-understood and established. That's kind of a "security by
obscurity" argument, owing to the relative newness of VoIP, but still.
The average private investigator for hire can tap analog lines, and
probably even PRIs. I don't have the sense that they can (yet?) take
for granted tapping IP conversations. Also, the architecture of the
PSTN is inherently much more centralised; the tap points are much
more well-defined and concentrated, and far more static.
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the asterisk-biz
mailing list