PCI compliance & VOIP

[smo]

I was specifically asked today whilst going through PCI compliance (to determine what SAQ i fill in) if our telephone lines are "proper lines" or voip computer lines?

Why?? Does using VOIP lines pose such a big problem that PCI compliance becomes more in depth/ticky/expensive?

 

[Ben8472]

Standard VOIP is not secure, someone with access to the network can packet sniff and listen to the call (in fact Wireshark and similar packages have this feature built in making it possible to intercept a call with one click with absolutely no technical skills needed).

I am not saying avoid VOIP, it's great, but speak to your provider about encryption options (there are several options for secure SIP).

As for how this relates to PCI compliance, I will let someone else advise you here. We don't take payments over the phone so it's not a question which has ever come up.

Ben

 

[cjd]

As far as I'm aware, there are no VoIP specific issues for PCI and would like to hear of them if someone thinks that there are.

As for VoIP being insecure, that's a bit of a nonsense. Anyone with two crocodile clips can listen to your calls on an ordinary phone from outside your house.

To be able to intercept a VoIP call you have to know what you're doing and when to do it AND have physical access to your network - all far easier with a normal phone.

 

[smo]

I dont know if there are issues or not, but in PCI compliance it makes a specific point of asking if you have real or VOIP phones as it has a bearing on the SAQ you file, presumably they see it as a risk, just the same as everything else in PCI compliance!!

 

[Ben8472]

That's because it is a risk.

The fact remains a VOIP call travels over the internet and through several different networks owned by several different companies before finally arriving at the VOIP provider.

Any of these networks can become the interception point? Yes?

As for knowing when to monitor the packets, you don't have to, you can setup a script which monitors for RTP and automatically begins storing the media packets for playback later.

Am I wrong? I am by no means a networking expert, perhaps one could comment?

Also, the whole point of SSL for web site card payments was that someone could packet sniff the HTTP request and grab the credit card details on a network in between you and the shop.

This is exactly the same problem surely?

I am in no way against VOIP, I use it myself, however I think it's a little silly to say VOIP is secure simply because someone can listen to your PSTN calls from outside your house with a crocodile clip.

Ben

 

[Ben8472]

"Requirement #4: Encrypt transmission of cardholder data across open, public networks"

This is one of the requirements of PCI.

You can argue it all you like, a VOIP call with card details discussed is a "transmission of cardholder data over an open, public network."

Therefore it needs to be encrypted - plain and simple.

Ben

 

[KM-Tiger]

You can argue it all you like, a VOIP call with card details discussed is a "transmission of cardholder data over an open, public network."

You are probably correct, but aren't BT now using an IP network for the transmission of PSTN calls?

 

[Ben8472]

I think it's safe to say BT will not send IP calls over the internet to other telco's - it will go over a private peer I would assume.

Any way - encryption options exist for VOIP, just some providers are yet to implement them for whatever reason.

Ben

 

[cjd]

I think you're getting confused.

No-one is saying that VoIP is secure or insecure. If you want a secure conversation on a public telephone, use an encrypted VoIP service - at least it's possible with VoIP; without VoIP the only way it can be done is by using expensive equipment at both ends of the telephone call.

If you are sending credit card details over the Internet it needs to use https or equivalent. that has nothing to do with VoIP - that's a web transaction.

All telephone calls pass through several providers and virtually all calls are now VoIP at some point because BT now translates a TDM call into an IP call in its main network.

Someone has got their wires crossed somewhere.

Smo, can you give me more information and I'll follow it up properly - pm me if you prefer.

Short, non-techie, item on VoIP security here:
http://voipfoneuserforum.com/viewtopic.php?f=8&t=3947

 

[andygambles]

AFAIK "normal" phone lines are not encrypted either.

 

[Ben8472]

CJD - I was comparing sending card details over HTTP without SSL to an unsecured VOIP conversation where card details are given.

The security concerns are the same with both.

SSL is required to prevent packet sniffing, the same requirement has to exist for VOIP if card details are being given during the call. If it's not a requirement I would be highly surprised.

Ben

 

[cjd]

AFAIK "normal" phone lines are not encrypted either.

Exactly.......

 

[Ben8472]

Correct - normal phone lines are not encrypted.

But does a normal PSTN telephone call go over the internet at any point?

E.g. does it pass through many networks? I don't think it does.

Even if BT convert TDM to VOIP, they don't then route it through the internet? That's the point I am trying to make.

Surely it will go over their own network or if it's for another telco, it will go over a private interconnect? Surely it won't go via the public network?

Perhaps you could explain this part in more detail CJD.

Ben

 

[smo]

CJD -Sadly i dont have any further details to give, it simply came up when talking to SecurityMetrics (as recommeded by HSBC) about our PCI compliance requirements.

I was asked about the phone lines we have as we take card details over the phone, currently although we have a VOIP line from yourselves its simply a redirection of an old number to an answerphone, our active lines are still on the "old" school system!!

It poses an interesting point as to what hoops we would have to jump through if we were to change over to full VOIP lines.

 

[andygambles]

But does a normal PSTN telephone call go over the internet at any point?

I was not aware we were discussing PSTN. But then there is the new "Featureline" products which are basically virtual PSTN. So internal calls do go over the public network.

I think the whole PCI thing has gone mad. We need to balance security with usability, risk and cost.

I can store un-encrypted card details on a piece of paper which can be stored in an unlocked cupboard but the moment I put it on a computer it is less secure?

 

[cjd]

But does a normal PSTN telephone call go over the internet at any point?

E.g. does it pass through many networks? I don't think it does.

BT has converted it's main exchanges to IP. They now carry virtually all call traffic across their network as VoIP.

Of course calls traverses networks, if you call France or a UK mobile it travels across several. If you're a Talk Talk or Sky customer it uses their equipment in a BT exchange. If you use a non-BT provider or are calling someone on a non-BT telephone number they'll interconnect with any one of several network wholesalers. There are interconnect gateways all over the place - the idea that telephone calls are point to point BT disappeared donkeys years ago.

But even when it was just BT, any BT engineer could intercept a call at dozens of places in the network from the pole outside your house to the cabinet in the street and the clockwork in the exchange.

Even if BT convert TDM to VOIP, they don't then route it through the internet? ...Surely it will go over their own network or if it's for another telco, it will go over a private interconnect? Surely it won't go via the public network?

You're making a distinction between the public Internet (the network of interconnected networks) and a private one (this mostly means peered networks). Something like Skype uses the public Internet, we don't. But even BT peers with dozens of 3rd party providers - we have direct peering with BT at two locations. But non of this makes any difference, all networks are owned by someone and an employee with the knowledge and equipment could sniff any connection - this includes BT.

 

[smo]

Unlocked cupboard huh Andy - i think you need to check up on that, it definately states a secure storage for written card numbers, unlocked doesnt cut it!

As for the PSTN over internet, it raises an interesting point as of course that poses as much potential threat as VOIP really as that is what it is at that point but as PCI dont care/havent cottened onto it yet i'm not going to cause extra trouble for myself!!

 

[Ben8472]

Thank you CJD but you haven't really told me anything I didn't already know.

I don't think it's worth debating this further. My opinion remains the same. Standard PSTN is more secure than unencrypted VOIP and in my opinion, you shouldn't be taking card details over unencrypted VOIP.

The requirements are clear, unencrypted cardholder data must not be transmitted over an open, public network. This is exactly what unencrypted VOIP over the internet is. If the card details are given in the call, it's a transmission of the card details.

I would advise anyone who needs advice on PCI compliance and VOIP to contact a CISSP or similar qualified person or speak to a specialist PCI company. I am not qualified in the field but I am quite sure everything I have said is accurate.

I certainly wouldn't take advice from a VOIP provider on the matter.

Ben

 

[cjd]

The requirements are clear, unencrypted cardholder data must not be transmitted over an open, public network

The everyday telephone network is called the PSTN, the Public Switched Telephone Network. It's unencrypted and it's open. It never was secure and it still isn't.

VoIP simply uses a different technology to do exactly the same job.

Now explain why there's a PCI issue with one but not the other.

 

[Ben8472]

I didn't say PSTN was secure, I said it was "more secure" than unencrypted VOIP.

Surely a PSTN call, even though it may pass through an "open, public network" at some point, surely the path will often be the same? E.g. a call from a BT customer to a Virgin Media customer will ordinarily take the same path? So you could argue it's easier to control security?

With VOIP over the internet, surely the path taken and networks passed through differs for every user depending on who their ISP is?

Not to mention other factors such as congestion or downtime which could result in BGP routing the data packets through a number of different transit providers.

My point is, surely there are more networks involved with VOIP over the internet, than a PSTN call between two telco's? Therefore it's most certainly less secure.

Please dont take this as an attack on VOIP. I use VOIP and I am a huge fan of Voipfone

As for your question, CDJ, perhaps you should put that to the PCI Security Standards Council. I agree you could argue the PCI requirement applies to both.

Ben

 

[cjd]

Please dont take this as an attack on VOIP. I use VOIP and I am a huge fan of Voipfone

None taken

As for your question, CDJ, perhaps you should put that to the PCI Security Standards Council. I agree you could argue the PCI requirement applies to both.

We use VoIP - obviously - and we have to be PCI compliant - equally obviously. We've never heard of this before. I'm assuming it's just a misunderstanding. If not, I'll get the industry trade body to take it up with them.

 

[smo]

CJD - i'd check it out, it may only become an issue if you take card payments over the VOIP system. Basically PCI compliance is concerned with anything computer related, hence their interest in VOIP.

 

[Ben8472]

https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

There is a specific PCI document involving the security of card details over the phone and a section which specifically relates to VOIP.

Page 9

"Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:

- Both wired and wireless networks used by at-home/remote agents and supervisors. For example, via a Virtual Private Network (VPN) with SSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks.

- Any public network segments used to carry or send screen or voice recordings.

- Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used. "

Pretty much confirms it.

Ben

 

[the locksmith]

I await the outcome of this discussion with interest.

I take Cards over the phone and then use my pc as a virtual terminal to send it all thru' to Barclaycard EPDQ. I was obliged to go thru' SecurityMetrics for PCi etc and they specifically told me that if I used my mobile to take the customers details and card numbers etc that was fine but they were not happy about me using my VoIP line. I did ask why but their answer was pretty vague.
(I am most certainly not knocking VoIP as it is the best thing since sliced bread and cannot speak highly enough of Voipfone.)

 

[cjd]

I've sent this damn document to the ITSPA Security Working Group, I expect small explosion.

Thanks for bringing it up all.

(mobiles are secure are they? Pfnrrr)

 

[Ben8472]

Oops - I didn't mean to cause a small explosion - I promise

Surely the ITSPA would have been contacted by PCI? The rules specifically relating to VOIP were added to the PCI framework 5 months ago (in the March 2011 revision of the code). That's quite some time.

Any way - best of luck sorting it.

Ben

 

[smo]

Its important that this gets addressed though.

Whilst i'd rather not have extra work it seems daft having to secure everything to the Nth degree and then having an IP unsecured to transmit (verbal) data.

They either need to clarify the position, or back off and accept its really no different to anyt other telephone system. I guess their worry is packet sniffing is a lot easier to perform, and hide, than sitting at the end of the road listening to the physical PSTN lines!

 

[Ben8472]

smo - Exactly.

PCI are absolutely correct in insisting VOIP is encrypted. I am simply stunned they didn't insist on it sooner. It was an obvious one.

Any way - the main thing is that the relevant people are now aware and I am sure it will be sorted e.g. implementing encryption or not taking card details over a VOIP line.


Ben

 

[spwvoip]

Ben

As a service provider we have looked at the PCI DSS requirements and over the last year have developed solutions to fit.

There are two was to use VoIP and be PCI compliant. The first is to encrypt all the media and signalling using sRTP and TLS. We support both these protocol natively on our network. This will not only encrypt the voice stream by also the DTMF tones and such for people entering credit cards etc.

The second is to use a private IP connection with no public addressable IP address. Once again we can provide these as well. Of course you could also encrypt the call over a private IP address link for extra security if you wanted.

At VoIP.co.uk we have embraced the new PCI regulations and have worked hard to provide solutions to fit them. If you or anyone else would like to have a chat about this please drop me a message.

Kind Regards

Simon Wright

VoIP.co.uk

 

[spwvoip]

Ben

Yes I agree with you also.

That is why we as a service provider have embraced the PCI regulations and have launched an encrypted SIP service using TLS and sRTP. This not only encrypts the media (voice) but also the signalling. This means the DTMF tones are encrypted as well so when people key in their credit card number this is encrypted too.

We are working with some of the major manufactures as we speak to raise the awareness of the PCI issue and also with some merchants.

Regards

Simon

 

[leemason]

I assume all of this really only applies if you are taking credit card orders over the phone? If not then it's not an issue. It's the same with e-mail. E-mail is inherently totally unsecure. It's much simpler to intercept an e-mail that it is to intercept a VoIP call but I would guess that many PCI compliant companies use e-mail (only not for sending such things as credit card information).

 

[spwvoip]

PCI DSS covers payments in general. The majority will be cards but it could be applied to bank account transfer when you have to enter you account details etc.

Where we have seen the greatest risk is DTMF tones. This is where you type in your card number to the "automated assistant". Without encryption these are sent in the clear and can easily be captured with the correct software.

 

[Ben8472]

Not this again...

VOIP is perfectly fine if you don't take card details over the line.

If you do, go secure or send a payment link by email while their on the line.

Ben

 

[spwvoip]

Ben

That was exactly what I was suggesting. Go secure, e.g. use TLS and sRTP and then you are compliant with PCI DSS.

Now for a bit of a plug....

We offer TLS and sRTP on our trunking service.


Regards

Simon

 

[Ben8472]

How many SIP phone models support these methods? Do you have some stats for me?

You are using SRTP with AES instead of DES? Surely this decreases the number of compatible endpoints even further?

Hardly a perfect solution, Simon.

I am sure your product has it's place and that you are a reputable company, but it really does look a little unpro hijacking a 2 month old thread to plug your product. One might say a little... desperate...

Ben

Ben

That was exactly what I was suggesting. Go secure, e.g. use TLS and sRTP and then you are compliant with PCI DSS.

Now for a bit of a plug....

We offer TLS and sRTP on our trunking service.


Regards

Simon

 

[spwvoip]

Ben

As a company we mostly provide trunks through our reseller base to IP PBX systems. However saying this we have tested Cisco (SPA and Classic) and Snom handsets and they work fine. There are other but I will have to consult my technical staff for a full list. In fact we have become the first Snom Advanced SIP Trunk Partner in the UK due to our TLS and sRTP features.

As for PBX systems we have once again tested Cisco (UC500 and Upwards), Snom One and they are fine. As for Avaya, ShoreTel etc we can support these with an SBC to handle the encryption.

As for desperation, far from it. We are working very closely with the major manufactures at the moment as well as merchants writing some guide lines for the usage of VoIP in PCI DSS situations.

Also there have been some press releases by manufactures, with us, with more on the way to highlight the issue also.

We are having a launch event in London at the end of the month with most of the major manufactures, some merchants, channel press, key partners etc.

Hope that answers your questions.

Kind Regards

Simon

 

[cjd]

Isn't it about time you guys joined ITSPA? We'd love to have you and you'd do yourselves some good.

 

[spwvoip]

At present we are busy working with the major manufactures and as such are becoming a recommend supplier to their partners. We already have all the best practice procedures you highlight at the ITSPA in place already. I really do not see a need at the moment to join. Thanks you for the invite but at this time we are very busy with other things.

 

[cjd]

I really do not see a need at the moment to join. Thanks you for the invite but at this time we are very busy with other things.

The need is to support the new industry - only takes a minute to write a cheque ;-)

 

[spwvoip]

I am very sorry but I cannot see the business case for joining. To be honest all I can see on the ITSPA website is a lot of awards being handed out to each other. We are not really interested in things like this.
We already have all the best practises in place that you highlight anyway and I prefer to build the business by good solid hard work and quality to our customers.