Securing Voice over IP traffic in a payment environment, is there an elephant in the call centre ?
“Securing Voice over IP traffic in a payment environment, is there an elephant in the call centre ?”
Having just returned from the PCI SSC annual community meeting in Dublin, I was interested to hear just what topics were on the minds on the delegates. During the various break out sessions and Q&A discussions, the subject of securing voice traffic delivered into a PCI compliant environment using Voice over IP technology was mentioned. It is interesting to hypothesise just how potential weaknesses in the technology, (which is hardly considered as “new” anymore) may be a potential threat vector and a route to a card data compromise.
The stance has always been that if you know that a particular delivery method for sensitive data is insecure, you must secure it or cease using it. The industry has talked about securing email and “end user messaging technologies” for years now and it seem odd that this way of thinking is not applied to the network delivery of voice calls containing sensitive data. Just think how many call centres are out there taking card payments from us day in day out. How many of these establishments use an unencrypted VOIP session to deliver these calls? ……most if not all, I would hazard a guess.
PCI requirement 4.1 in fact states;
“4.1. Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.”
It does not take a great leap to think about how this requirement applies to a voice network, when the traffic is delivered across a public infrastructure. This also touches on other areas within the PCI standard, namely the management of Third parties (as the VOIP traffic will invariably be provided by an external entity). Services supplied by external resources that process, transmit or store payment card related data are always in scope, no one would argue the point on that one.
So, why is everyone ignoring the elephant in the room. At the Dublin PCI community meeting, a brief discussion was had as to where the boundaries lie for the responsibility of the merchant aiming to protect his environment. It is important that we all know where we accept responsibility for security of an environment and where we hand that over to a competent third party. It just seems to me that at the moment, there is no appetite to open the particular can of worms labelled “VOIP”. I wonder what it will take to get the industry to re-think the stance on VOIP, a large data compromise usually does the trick so it could just be a matter of time.
“C*ber” – are we missing the point?
I have been watching the “C*ber” debate with interest over a number of years, but must now confess to being utterly bored by it. It is an unnecessary distraction. Let me explain:
There appear to be two principal schools of thought associated with Cyber discussions. One School of thought see the concept of “Cyber” as a new and exciting marketing opportunity, and a second, comprising practitioners who are bemused by this new discipline and unable to see where it differs from the various information operations that have been part of our lives for the past decades. This last group are often (possibly rightly) frustrated by the subjugation of a discipline that has been their bread and butter for several decades into a superficial marketing concept. This second group have coined the term C*ber – branding it an informal swear word. I can sympathise with their concern, though I am concerned about the approach.
We need to be a little careful about being either overly sensitive or arrogant about the term…. in my opinion we should treat the term cyber, much as we treat the term “hoover”….. as a convenient though possiblyinaccurate term for a concept that has (or ought to have) become a part of every day life. (My apologies here to those people to whom the Hoover is an alien concept!)
Whilst the actual derivation comes originally (I think – though it matters not) from Dr Who, based on a Greek root kybernetes (steersman) – the discipline has moved on. Just as aliens are no longer made from egg boxes…the disciplines supporting the cyber environment have moved on.
For me – Cyber is a generic term describing the digital end of the information spectrum. Like all generic terms, there are huge dependencies and assumptions and as a result, much of the ground we must cover to bring effect to bear is not strictly digital – this matters not – what does matter is that we identify and manage risks in this space.
Personally, I care less about what the space is called, than what happens in it and how we bring effect to bear to manage risk within it. By trying to define the area too closely, we give ourselves artificial boundaries that our adversaries may not recognize. This is dangerous and foolish…. whether in the digital, kinetic or wider information spaces. We should scope according to the context rather than thrashing about in an academic debate about definition.
Whilst I appreciate that it is important to define roles and jobspecs – anyone who is dependent on a title to do this has much wider problems…. again this is not just a factor of cyber.
A thought: – Just as the implementation of Information Security, though supported by a number of excellent standards and “best practice” differs widely from context to context – so must “Cyber” activity and its various supporting disciplines.
Another thought: – A significant proportion of the people with the term “Cyber” in their Job Title would find it a much easier nut to crack if they applied existing “kinetic” methodology and doctrine and then looked for the gaps before than messing about trying to reinvent a wheel out of egg boxes.
Sorry to be a damp squib – but we should move on and leave those with less confidence to drown in an academic quagmire of their own making.