You probably already know this, but there is no technical logic to the
PCI guidelines. It is not a logical process, and the requirements are
not conceived by people who really understand how technology and
workflows in voice service delivery function. And, in general, if the
auditors don't understand it--which they invariably don't--it's not
compliant.
So, for instance, with regard to DTMF, you could use SIP INFO for DTMF
transition, and encrypt your signaling (say, with TLS) but not your
media. Strictly speaking, that would be secure, since the credit card
numbers do not appear either as RTP OOB events in the media stream, or
in-band, but rather as signaling artifacts. However, this is way too
clever for the kinds of people that get to define the compliance
requirements.
More generally, the assumption that PSTN analog or digital lines are
inherently secure in ways that the public Internet is not is, of
course, ridiculous. In fact, by many accounts, sniffing
third-parties' packets is considerably more laborious a chore than
bribing ILEC employees to assist in tapping circuits, or going to a
junction box with a set of alligator clips. But, as I said, rhyme and
reason is not part of the formula.
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
