[VoiceOps] PCI Compliance and VoIP

Ivan Kovacevic ivank at rogers.com
Thu Oct 20 09:57:56 EDT 2011 

That's what we do with most providers and clients to satisfy the PCI requirements for our contact center customers. Cross-connects
and data links are so cheap these days that it's usually a no-brainer. 

If not feasible, we use TLS / SRTP encryption to secure signaling/RTP. 

Best Regards,

Ivan Kovacevic

Star Telecom | www.startelecom.ca  


-----Original Message-----
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Geoffrey Mina
Sent: October-20-11 9:52 AM
To: Hiers, David
Cc: VoiceOps
Subject: Re: [VoiceOps] PCI Compliance and VoIP

We are probably going to pull a private line from level3 and use them for TF inbound and LD outbound. Should satisfy the requirement
of _not_ traversing the public internet. We are in level3 co-lo so it should be relatively cheap. 

Thanks for everyones input. 

Geoff Mina
CTO/Co-Founder
Connect First Inc.
720.335.5924
888.410.3071
gmina at ConnectFirst.com

Sent from my iPhone

On Oct 20, 2011, at 7:15 AM, "Hiers, David" <David_Hiers at adp.com> wrote:

> Um, that's kinda the point, actually.
> 
> One of the outcomes of the technical security of the network is to force attacks to occur at the endpoints.  There is a much
smaller, much more controllable set of people to deal with at the endpoints.  You can even establish further controls at the
endpoints to make attacks harder to perform, require collusion between multiple parties, limit the scope of a successful attack, and
increase the ability to detect attack attempts.
> 
> There will always be a soft spot in the system, you want to move it to where you have lots of "cameras".
> 
> 
> 
> David Hiers
> 
> CCIE (R/S, V), CISSP
> ADP Dealer Services
> 2525 SW 1st Ave.
> Suite 300W
> Portland, OR 97201
> o: 503-205-4467
> f: 503-402-3277
> 
> ###Please note my email address is changing: 
> ###from David_Hiers at adp.com
> ###  to David.Hiers at adp.com
> 
> 
> -----Original Message-----
> From: voiceops-bounces at voiceops.org 
> [mailto:voiceops-bounces at voiceops.org] On Behalf Of Carlos Alcantar
> Sent: Wednesday, October 19, 2011 11:26 PM
> To: VoiceOps
> Subject: Re: [VoiceOps] PCI Compliance and VoIP
> 
> Whats really sad about all this is we can make everything as secure as possible using what ever transport method we can think of.
But 99% of the fraud is going to come from an employee that has access to the data.
> 
> Carlos Alcantar
> Race Communications / Race Team Member
> 101 Haskins Way, So. San Francisco, CA. 94080
> Phone: +1 415 376 3314  Fax:  +1 650 246 8901 / carlos *at* race.com / 
> www.race.com
> 
> 
> 
> 
> 
> On 10/19/11 5:49 PM, "Jimmy Hess" <mysidia at gmail.com> wrote:
> 
>> On Wed, Oct 19, 2011 at 6:26 PM, Hiers, David <David_Hiers at adp.com> wrote:
>> 
>> That doesn't really "cover" the internet... it just mentions the 
>> internet. "11.1 If the payment application ... the payment 
>> application must support use of strong cryptography and security protocols".
>> 
>> This would mean that the payment application software has to support 
>> encryption of data before emitting it over any public network,  
>> that's entirely agnostic to the nature of the transport, whether it be radio
>> broadcasts, US mail, or carrier pigeons,   the application has to
>> encrypt the message,  no matter whether the message is transmitted 
>> packetized as PCM over a series of IP packets,  analog audio signals, 
>> a .WAV file attached to an e-mail,  or printed on punch cards  for 
>> snail mail.
>> 
>> Modern payment applications don't normally utilize voice  (or punch 
>> cards), however.....
>> 
>> 
>>> This PCI requirement covers the entire Internet, regardless of protocol:
>>> ##
>>> 11.1 If the payment application sends, or facilitates sending, 
>>> cardholder data over public networks, the payment application must 
>>> support use of strong cryptography and security protocols
>> [snip]
>> 
>> --
>> -JH
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> 
> 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> 
> 
> This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and
confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient,
you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication
in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops


_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list