[VoiceOps] PCI Compliance and VoIP

Hiers, David David_Hiers at adp.com
Wed Oct 19 19:26:39 EDT 2011 

This PCI requirement covers the entire Internet, regardless of protocol:

##
11.1 If the payment application sends, or
facilitates sending, cardholder data over public
networks, the payment application must support
use of strong cryptography and security protocols
(for example, SSL/TLS, Internet protocol security
(IPSEC), SSH, etc.) to safeguard sensitive
cardholder data during transmission over open,
public networks.

Examples of open, public networks that are in
scope of the PCI DSS are:
* The Internet
<snip>
##

Odd that they kill the extra pixels to say "must support use of" instead of "must use", huh?










David Hiers

CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277

###Please note my email address is changing: 
###from David_Hiers at adp.com 
###  to David.Hiers at adp.com


-----Original Message-----
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Justin B Newman
Sent: Wednesday, October 19, 2011 3:47 PM
To: Geoffrey Mina
Cc: voiceops at voiceops.org
Subject: Re: [VoiceOps] PCI Compliance and VoIP

> I am wondering what you folks out there do when a customer needs their 
> voice service providers to be PCI compliant.  We use many ITSPs over 
> the public internet and it doesn't seem that any of them support any 
> type of SRTP.  Do we need to step back and go TDM to our ULC for 
> 'secure' customers?  Anyone know of any good inbound/outbound ITSP 
> that is PCI compliant AND supports SRTP over the public network?

One way to approach the issue would be to work with the customer on the actual requirements. PCI does not specifically identify a requirement that brings voice service into scope. I believe that any interpretation that would bring voice telecommunications into scope would end up applying to TDM, just as they would to VoIP.

-jbn
Justin B Newman

_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

More information about the VoiceOps mailing list