Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of requirements designed to secure and protect customer payment data, as most security breaches could be avoided if merchants:
- Remove sensitive authentication data and limit data retention
- Protect the perimeter, internal and wireless networks
- Secure applications
- Protect through monitoring and access control
Payment card providers work alongside the PCI Standards council to establish the current requirements. The requirements are documented and publicly available on the Security Standards Council Website
VoIP and PCI DSS
The Security Standard clearly states that sensitive data should use strong cryptography and security protocols (when transiting an ‘out of scope’ network). Clearly voice calls and therefore VoIP traffic can contain credit card information and in addition the DTMF tones which are used when pressing telephone keys may contain credit card details. SIP Trunks are therefore within scope and should be considered as part of the merchants security plan. Requirement 4 from PCI DSS
Qualified Security Assessor (QSA)
Some PCI Compliance tests are concerned with ensuring that the access to credit card information should be limited on a ‘need to know basis’, and access to machines that carry information should be limited and controlled by procedure. Both points reduce the risk of credit card information being captured and falling in to the wrong hands. “IP address” scans that form part of some PCI compliance tests may be made against VoIP systems. This is to establish whether the system is at risk of being compromised by an attacker who for example – may be able to install a call logger, or call recorder without the merchants knowledge in order to to capture credit card information.
VoIP.co.uk have a solution for any customer concerned about voice security, whether making/taking a credit card payment, calling the bank, or just wanting to know that calls are not being evesdropped.
The transmission of sensitive information over a public network should be encrypted:-
- VoIP.co.uk’s secured SIP trunking
VoIP.co.uk’s secured SIP trunking services offers TLS/SRTP support which encrypts voice calls. A compatible PBX system or SIP endpoint/telephone is required. Our TLS/SRTP solution encrypts the call signalling and media using strong AES based cypher suites. Our secure platform has non-secure components and protocols disabled, so calls are always encrypted when using this system.
- VoIP.co.uk’s Direct Access Circuits
VoIP.co.uk’s Direct access circuits offer no public access and are for use only with the customers voice traffic only. As a result our circuits are immune from remote access attempts and also DDOS (Distributed Denial of Service) attacks.
- Network Encryption
VoIP.co.uk offers Classic IPSEC VPN connections to our datacentre for customers requiring up to 20 channels
- Secure SIP Gateways
VoIP.co.uk provide SIP-SIP gateways for any sized requirement
PCI Standards Council Document Library
Barclaycard guidance for merchants