PCI Compliance for SIP Trunking
VoIP.co.uk have released a new product providing encryption on SIP trunks. Any concerns about voice security, whether making/taking a credit card payment, calling the bank, or just wanting to know that calls are not being evesdropped are resolved with this product.
PCI DSS is a set of requirements designed to secure and protect customer payment data, as most security breaches could be avoided if merchants:
- Remove sensitive authentication data and limit data retention
- Protect the perimeter, internal and wireless networks
- Secure applications
- Protect through monitoring and access control
Payment card providers work alongside the PCI Standards council to establish the current requirements. The requirements are documented and publicly available on the Security Standards Council Website
VoIP and PCI DSS
The Security Standard clearly states that sensitive data should use strong cryptography and security protocols (when transiting an ‘out of scope’ network). Clearly voice calls and therefore VoIP traffic can contain credit card information and in addition the DTMF tones which are used when pressing telephone keys may contain credit card details. SIP Trunks are therefore within scope and should be considered as part of the merchants security plan. Requirement 4 from PCI DSS
Qualified Security Assessor (QSA)
Some PCI Compliance tests are concerned with ensuring that the access to credit card information should be limited on a ‘need to know basis’, and access to machines that carry information should be limited and controlled by procedure. Both points reduce the risk of credit card information being captured and falling in to the wrong hands. “IP address” scans that form part of some PCI compliance tests may be made against VoIP systems. This is to establish whether the system is at risk of being compromised by an attacker who for example – may be able to install a call logger, or call recorder without the merchants knowledge in order to to capture credit card information.