[VoiceOps] PCI Compliance and VoIP

Hiers, David David_Hiers at adp.com
Thu Oct 20 09:15:06 EDT 2011 

Um, that's kinda the point, actually.

One of the outcomes of the technical security of the network is to force attacks to occur at the endpoints.  There is a much smaller, much more controllable set of people to deal with at the endpoints.  You can even establish further controls at the endpoints to make attacks harder to perform, require collusion between multiple parties, limit the scope of a successful attack, and increase the ability to detect attack attempts.

There will always be a soft spot in the system, you want to move it to where you have lots of "cameras".



David Hiers

CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277

###Please note my email address is changing: 
###from David_Hiers at adp.com 
###  to David.Hiers at adp.com


-----Original Message-----
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Carlos Alcantar
Sent: Wednesday, October 19, 2011 11:26 PM
To: VoiceOps
Subject: Re: [VoiceOps] PCI Compliance and VoIP

Whats really sad about all this is we can make everything as secure as possible using what ever transport method we can think of.  But 99% of the fraud is going to come from an employee that has access to the data.

Carlos Alcantar
Race Communications / Race Team Member
101 Haskins Way, So. San Francisco, CA. 94080
Phone: +1 415 376 3314  Fax:  +1 650 246 8901 / carlos *at* race.com / www.race.com 





On 10/19/11 5:49 PM, "Jimmy Hess" <mysidia at gmail.com> wrote:

>On Wed, Oct 19, 2011 at 6:26 PM, Hiers, David <David_Hiers at adp.com> wrote:
>
>That doesn't really "cover" the internet... it just mentions the 
>internet. "11.1 If the payment application ... the payment application 
>must support use of strong cryptography and security protocols".
>
>This would mean that the payment application software has to support 
>encryption of data before emitting it over any public network,  that's 
>entirely agnostic to the nature of the transport, whether it be radio
>broadcasts, US mail, or carrier pigeons,   the application has to
>encrypt the message,  no matter whether the message is transmitted 
>packetized as PCM over a series of IP packets,  analog audio signals, a 
>.WAV file attached to an e-mail,  or printed on punch cards  for snail 
>mail.
>
>Modern payment applications don't normally utilize voice  (or punch 
>cards), however.....
>
>
>> This PCI requirement covers the entire Internet, regardless of protocol:
>> ##
>> 11.1 If the payment application sends, or facilitates sending, 
>> cardholder data over public networks, the payment application must 
>> support use of strong cryptography and security protocols
>[snip]
>
>--
>-JH
>_______________________________________________
>VoiceOps mailing list
>VoiceOps at voiceops.org
>https://puck.nether.net/mailman/listinfo/voiceops
>


_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

More information about the VoiceOps mailing list