[VoiceOps] PCI Compliance and VoIP

Geoffrey Mina gmina at connectfirst.com
Thu Oct 20 09:52:11 EDT 2011


We are probably going to pull a private line from level3 and use them for TF inbound and LD outbound. Should satisfy the requirement of _not_ traversing the public internet. We are in level3 co-lo so it should be relatively cheap. 

Thanks for everyones input. 

Geoff Mina
CTO/Co-Founder
Connect First Inc.
720.335.5924
888.410.3071
gmina at ConnectFirst.com

Sent from my iPhone

On Oct 20, 2011, at 7:15 AM, "Hiers, David" <David_Hiers at adp.com> wrote:

> Um, that's kinda the point, actually.
> 
> One of the outcomes of the technical security of the network is to force attacks to occur at the endpoints.  There is a much smaller, much more controllable set of people to deal with at the endpoints.  You can even establish further controls at the endpoints to make attacks harder to perform, require collusion between multiple parties, limit the scope of a successful attack, and increase the ability to detect attack attempts.
> 
> There will always be a soft spot in the system, you want to move it to where you have lots of "cameras".
> 
> 
> 
> David Hiers
> 
> CCIE (R/S, V), CISSP
> ADP Dealer Services
> 2525 SW 1st Ave.
> Suite 300W
> Portland, OR 97201
> o: 503-205-4467
> f: 503-402-3277
> 
> ###Please note my email address is changing: 
> ###from David_Hiers at adp.com 
> ###  to David.Hiers at adp.com
> 
> 
> -----Original Message-----
> From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Carlos Alcantar
> Sent: Wednesday, October 19, 2011 11:26 PM
> To: VoiceOps
> Subject: Re: [VoiceOps] PCI Compliance and VoIP
> 
> Whats really sad about all this is we can make everything as secure as possible using what ever transport method we can think of.  But 99% of the fraud is going to come from an employee that has access to the data.
> 
> Carlos Alcantar
> Race Communications / Race Team Member
> 101 Haskins Way, So. San Francisco, CA. 94080
> Phone: +1 415 376 3314  Fax:  +1 650 246 8901 / carlos *at* race.com / www.race.com 
> 
> 
> 
> 
> 
> On 10/19/11 5:49 PM, "Jimmy Hess" <mysidia at gmail.com> wrote:
> 
>> On Wed, Oct 19, 2011 at 6:26 PM, Hiers, David <David_Hiers at adp.com> wrote:
>> 
>> That doesn't really "cover" the internet... it just mentions the 
>> internet. "11.1 If the payment application ... the payment application 
>> must support use of strong cryptography and security protocols".
>> 
>> This would mean that the payment application software has to support 
>> encryption of data before emitting it over any public network,  that's 
>> entirely agnostic to the nature of the transport, whether it be radio
>> broadcasts, US mail, or carrier pigeons,   the application has to
>> encrypt the message,  no matter whether the message is transmitted 
>> packetized as PCM over a series of IP packets,  analog audio signals, a 
>> .WAV file attached to an e-mail,  or printed on punch cards  for snail 
>> mail.
>> 
>> Modern payment applications don't normally utilize voice  (or punch 
>> cards), however.....
>> 
>> 
>>> This PCI requirement covers the entire Internet, regardless of protocol:
>>> ##
>>> 11.1 If the payment application sends, or facilitates sending, 
>>> cardholder data over public networks, the payment application must 
>>> support use of strong cryptography and security protocols
>> [snip]
>> 
>> --
>> -JH
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> 
> 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> 
> 
> This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops




More information about the VoiceOps mailing list