PCI compliance & VOIP

Discussion in 'IT & Internet' started by smo, Aug 1, 2011.

Thread Status:
Not open for further replies.
  1. smo

    smo UKBF Ace Free Member

    2,095 337
    I was specifically asked today whilst going through PCI compliance (to determine what SAQ i fill in) if our telephone lines are "proper lines" or voip computer lines?

    Why?? Does using VOIP lines pose such a big problem that PCI compliance becomes more in depth/ticky/expensive?
     
    Posted: Aug 1, 2011 By: smo Member since: Apr 3, 2010
    #1
  2. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    Standard VOIP is not secure, someone with access to the network can packet sniff and listen to the call (in fact Wireshark and similar packages have this feature built in making it possible to intercept a call with one click with absolutely no technical skills needed).

    I am not saying avoid VOIP, it's great, but speak to your provider about encryption options (there are several options for secure SIP).

    As for how this relates to PCI compliance, I will let someone else advise you here. We don't take payments over the phone so it's not a question which has ever come up.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #2
  3. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,447 3,073
    As far as I'm aware, there are no VoIP specific issues for PCI and would like to hear of them if someone thinks that there are.

    As for VoIP being insecure, that's a bit of a nonsense. Anyone with two crocodile clips can listen to your calls on an ordinary phone from outside your house.

    To be able to intercept a VoIP call you have to know what you're doing and when to do it AND have physical access to your network - all far easier with a normal phone.
     
    Posted: Aug 2, 2011 By: cjd Member since: Nov 23, 2005
    #3
  4. smo

    smo UKBF Ace Free Member

    2,095 337
    I dont know if there are issues or not, but in PCI compliance it makes a specific point of asking if you have real or VOIP phones as it has a bearing on the SAQ you file, presumably they see it as a risk, just the same as everything else in PCI compliance!!
     
    Posted: Aug 2, 2011 By: smo Member since: Apr 3, 2010
    #4
  5. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    That's because it is a risk.

    The fact remains a VOIP call travels over the internet and through several different networks owned by several different companies before finally arriving at the VOIP provider.

    Any of these networks can become the interception point? Yes?

    As for knowing when to monitor the packets, you don't have to, you can setup a script which monitors for RTP and automatically begins storing the media packets for playback later.

    Am I wrong? I am by no means a networking expert, perhaps one could comment?

    Also, the whole point of SSL for web site card payments was that someone could packet sniff the HTTP request and grab the credit card details on a network in between you and the shop.

    This is exactly the same problem surely?

    I am in no way against VOIP, I use it myself, however I think it's a little silly to say VOIP is secure simply because someone can listen to your PSTN calls from outside your house with a crocodile clip.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #5
  6. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    "Requirement #4: Encrypt transmission of cardholder data across open, public networks"

    This is one of the requirements of PCI.

    You can argue it all you like, a VOIP call with card details discussed is a "transmission of cardholder data over an open, public network."

    Therefore it needs to be encrypted - plain and simple.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #6
  7. KM-Tiger

    KM-Tiger UKBF Legend Full Member - Verified Business

    9,797 2,609
    You are probably correct, but aren't BT now using an IP network for the transmission of PSTN calls?
     
    Posted: Aug 2, 2011 By: KM-Tiger Member since: Aug 10, 2003
    #7
  8. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    I think it's safe to say BT will not send IP calls over the internet to other telco's - it will go over a private peer I would assume.

    Any way - encryption options exist for VOIP, just some providers are yet to implement them for whatever reason.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #8
  9. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,447 3,073
    I think you're getting confused.

    No-one is saying that VoIP is secure or insecure. If you want a secure conversation on a public telephone, use an encrypted VoIP service - at least it's possible with VoIP; without VoIP the only way it can be done is by using expensive equipment at both ends of the telephone call.

    If you are sending credit card details over the Internet it needs to use https or equivalent. that has nothing to do with VoIP - that's a web transaction.

    All telephone calls pass through several providers and virtually all calls are now VoIP at some point because BT now translates a TDM call into an IP call in its main network.

    Someone has got their wires crossed somewhere.

    Smo, can you give me more information and I'll follow it up properly - pm me if you prefer.

    Short, non-techie, item on VoIP security here:
    http://voipfoneuserforum.com/viewtopic.php?f=8&t=3947
     
    Posted: Aug 2, 2011 By: cjd Member since: Nov 23, 2005
    #9
  10. andygambles

    andygambles UKBF Ace Full Member - Verified Business

    2,627 688
    AFAIK "normal" phone lines are not encrypted either.
     
    Posted: Aug 2, 2011 By: andygambles Member since: Jun 17, 2009
    #10
  11. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    CJD - I was comparing sending card details over HTTP without SSL to an unsecured VOIP conversation where card details are given.

    The security concerns are the same with both.

    SSL is required to prevent packet sniffing, the same requirement has to exist for VOIP if card details are being given during the call. If it's not a requirement I would be highly surprised.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #11
  12. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,447 3,073
    Exactly.......
     
    Posted: Aug 2, 2011 By: cjd Member since: Nov 23, 2005
    #12
  13. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    Correct - normal phone lines are not encrypted.

    But does a normal PSTN telephone call go over the internet at any point?

    E.g. does it pass through many networks? I don't think it does.

    Even if BT convert TDM to VOIP, they don't then route it through the internet? That's the point I am trying to make.

    Surely it will go over their own network or if it's for another telco, it will go over a private interconnect? Surely it won't go via the public network?

    Perhaps you could explain this part in more detail CJD.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #13
  14. smo

    smo UKBF Ace Free Member

    2,095 337
    CJD -Sadly i dont have any further details to give, it simply came up when talking to SecurityMetrics (as recommeded by HSBC) about our PCI compliance requirements.

    I was asked about the phone lines we have as we take card details over the phone, currently although we have a VOIP line from yourselves its simply a redirection of an old number to an answerphone, our active lines are still on the "old" school system!!

    It poses an interesting point as to what hoops we would have to jump through if we were to change over to full VOIP lines.
     
    Posted: Aug 2, 2011 By: smo Member since: Apr 3, 2010
    #14
  15. andygambles

    andygambles UKBF Ace Full Member - Verified Business

    2,627 688
    I was not aware we were discussing PSTN. But then there is the new "Featureline" products which are basically virtual PSTN. So internal calls do go over the public network.

    I think the whole PCI thing has gone mad. We need to balance security with usability, risk and cost.

    I can store un-encrypted card details on a piece of paper which can be stored in an unlocked cupboard but the moment I put it on a computer it is less secure?
     
    Posted: Aug 2, 2011 By: andygambles Member since: Jun 17, 2009
    #15
  16. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,447 3,073
    BT has converted it's main exchanges to IP. They now carry virtually all call traffic across their network as VoIP.

    Of course calls traverses networks, if you call France or a UK mobile it travels across several. If you're a Talk Talk or Sky customer it uses their equipment in a BT exchange. If you use a non-BT provider or are calling someone on a non-BT telephone number they'll interconnect with any one of several network wholesalers. There are interconnect gateways all over the place - the idea that telephone calls are point to point BT disappeared donkeys years ago.

    But even when it was just BT, any BT engineer could intercept a call at dozens of places in the network from the pole outside your house to the cabinet in the street and the clockwork in the exchange.

    You're making a distinction between the public Internet (the network of interconnected networks) and a private one (this mostly means peered networks). Something like Skype uses the public Internet, we don't. But even BT peers with dozens of 3rd party providers - we have direct peering with BT at two locations. But non of this makes any difference, all networks are owned by someone and an employee with the knowledge and equipment could sniff any connection - this includes BT.
     
    Posted: Aug 2, 2011 By: cjd Member since: Nov 23, 2005
    #16
  17. smo

    smo UKBF Ace Free Member

    2,095 337
    Unlocked cupboard huh Andy - i think you need to check up on that, it definately states a secure storage for written card numbers, unlocked doesnt cut it!

    As for the PSTN over internet, it raises an interesting point as of course that poses as much potential threat as VOIP really as that is what it is at that point but as PCI dont care/havent cottened onto it yet i'm not going to cause extra trouble for myself!!
     
    Posted: Aug 2, 2011 By: smo Member since: Apr 3, 2010
    #17
  18. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    Thank you CJD but you haven't really told me anything I didn't already know.

    I don't think it's worth debating this further. My opinion remains the same. Standard PSTN is more secure than unencrypted VOIP and in my opinion, you shouldn't be taking card details over unencrypted VOIP.

    The requirements are clear, unencrypted cardholder data must not be transmitted over an open, public network. This is exactly what unencrypted VOIP over the internet is. If the card details are given in the call, it's a transmission of the card details.

    I would advise anyone who needs advice on PCI compliance and VOIP to contact a CISSP or similar qualified person or speak to a specialist PCI company. I am not qualified in the field but I am quite sure everything I have said is accurate.

    I certainly wouldn't take advice from a VOIP provider on the matter.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #18
  19. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,447 3,073
    The everyday telephone network is called the PSTN, the Public Switched Telephone Network. It's unencrypted and it's open. It never was secure and it still isn't.

    VoIP simply uses a different technology to do exactly the same job.

    Now explain why there's a PCI issue with one but not the other.
     
    Posted: Aug 2, 2011 By: cjd Member since: Nov 23, 2005
    #19
  20. Ben8472

    Ben8472 UKBF Regular Free Member

    125 33
    I didn't say PSTN was secure, I said it was "more secure" than unencrypted VOIP.

    Surely a PSTN call, even though it may pass through an "open, public network" at some point, surely the path will often be the same? E.g. a call from a BT customer to a Virgin Media customer will ordinarily take the same path? So you could argue it's easier to control security?

    With VOIP over the internet, surely the path taken and networks passed through differs for every user depending on who their ISP is?

    Not to mention other factors such as congestion or downtime which could result in BGP routing the data packets through a number of different transit providers.

    My point is, surely there are more networks involved with VOIP over the internet, than a PSTN call between two telco's? Therefore it's most certainly less secure.

    Please dont take this as an attack on VOIP. I use VOIP and I am a huge fan of Voipfone :)

    As for your question, CDJ, perhaps you should put that to the PCI Security Standards Council. I agree you could argue the PCI requirement applies to both.

    Ben
     
    Posted: Aug 2, 2011 By: Ben8472 Member since: Mar 11, 2009
    #20
Thread Status:
Not open for further replies.