Voice over IP and PCI DSS Compliance, What Are the Issues?

Earlier this year the PCI Security Standards Council issued guidance on how to protect card data when taking payments over the telephone. Part of this guidance was information on how to handle telephone calls using voice over IP.

The guidance states that "Call centres will need to ensure that transmission of cardholder data across public networks is encrypted".

This is part of PCI DSS Requirement 4 and includes:

• Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:
  • Both wired and wireless networks used by at-home/remote agents and supervisors. For example, via a Virtual Private Network (VPN) with SSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks
  • Any public network segments used to carry or send screen or voice recordings
  • Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used

• Requiring agents to use analog telephone lines when a VoIP telephone system does not provide strong cryptography

Why is this requirement in place?

The reason it is there is that it is very easy to extract cardholder data from VoIP calls if you have access to the data stream. The favourite tool of anyone who works with networks is Wireshark, a free and extremely powerful tool. Wireshark provides the ability to easily capture network data and to extract voice calls from that data. With VoIP calls DTMF signals are normally encoded out of band using RFC2833 data (to avoid issues caused by the compression of audio) and Wireshark will pick these up as shown in the picture below:

It is also very easy to create a recording of the call from Wireshark as shown in this example screen grab:

What can you do to protect yourself?

1. Don't use VoIP

The easiest protection is to not use VoIP for agents taking cardholder payments and use analog telephone lines instead as they are just harder to tap and extract the data from.

2. Protect access to the network

This is very difficult to do as agents and many other people will have physical access to the network and can plug in any device they want. You can attempt to mitigate this using MAC filtering on the network switches, however it is easy to spoof MAC addresses.

3. Use strong encryption

It is possible to use SRTP to encrypt the audio streams for the voice calls or TLS to encrypt the whole voice call (audio and signalling). The problem with this is that support for SRTP or TLS is not available from all equipment providers yet and progress on this seems to be slow.

Summary

In summary you need to be very careful if you intend to take card payments over the phone and you have a voice over IP system. It is very easy with someone with physical access to your network and the ability to use Google to be able to capture and record VoIP calls.

Related articles

• Does PCI DSS Apply to VoIP? (btsecurethinking.com)