Securing Voice over IP traffic in a payment environment, is there an elephant in the call centre ?

“Securing Voice over IP traffic in a payment environment, is there an elephant in the call centre ?”

Having just returned from the PCI SSC annual community meeting in Dublin, I was interested to hear just what topics were on the minds on the delegates. During the various break out sessions and  Q&A discussions, the subject of securing voice traffic delivered into a PCI compliant environment using Voice over IP technology was mentioned. It is interesting to hypothesise just how potential weaknesses in the technology, (which is hardly considered as “new” anymore) may be a potential threat vector and a route to a card data compromise.

The stance has always been that if you know that a particular delivery method for sensitive data is insecure, you must secure it or cease using it. The industry has talked about securing email and “end user messaging technologies” for years now and it seem odd that this way of thinking is not applied to the network delivery of voice calls containing sensitive data. Just think how many call centres are out there taking card payments from us day in day out. How many of these establishments use an unencrypted VOIP session to deliver these calls? ……most if not all, I would hazard a guess.

PCI requirement 4.1 in fact states;

“4.1. Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.”

It does not take a great leap to think about how this requirement applies to a voice network, when the traffic is delivered across a public infrastructure.  This also touches on other areas within the PCI standard, namely the management of Third parties (as the VOIP traffic will invariably be provided by an external entity). Services supplied by external resources that process, transmit or store payment card related data are always in scope, no one would argue the point on that one.

So, why is everyone ignoring the elephant in the room. At the Dublin PCI community meeting, a brief discussion was had as to where the boundaries lie for the responsibility of the merchant aiming to protect his environment. It is important that we all know where we accept responsibility for security of an environment and where we hand that over to a competent third party. It just seems to me that at the moment, there is no appetite to open the particular can of worms labelled “VOIP”.  I wonder what it will take to get the industry to re-think the stance on VOIP, a large data compromise usually does the trick so it could just be a matter of time.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Posted 6 years ago on · Permalink