Ya the audits and questions are stupid. My current PCI audit company and I got into a huge fight. They wanted to audit the IP address of my office which is dynamic and not my servers. Their questions were worded in such a way as to trap me. But in the end I just answered everything as a yes or no (what they were looking for) and got a passing grade :)
Sent from my iPhone 4S On Dec 19, 2011, at 7:46 AM, Alex Balashov <[email protected]> wrote: > You probably already know this, but there is no technical logic to the PCI > guidelines. It is not a logical process, and the requirements are not > conceived by people who really understand how technology and workflows in > voice service delivery function. And, in general, if the auditors don't > understand it--which they invariably don't--it's not compliant. > > So, for instance, with regard to DTMF, you could use SIP INFO for DTMF > transition, and encrypt your signaling (say, with TLS) but not your media. > Strictly speaking, that would be secure, since the credit card numbers do not > appear either as RTP OOB events in the media stream, or in-band, but rather > as signaling artifacts. However, this is way too clever for the kinds of > people that get to define the compliance requirements. > > More generally, the assumption that PSTN analog or digital lines are > inherently secure in ways that the public Internet is not is, of course, > ridiculous. In fact, by many accounts, sniffing third-parties' packets is > considerably more laborious a chore than bribing ILEC employees to assist in > tapping circuits, or going to a junction box with a set of alligator clips. > But, as I said, rhyme and reason is not part of the formula. > > -- > Alex Balashov - Principal > Evariste Systems LLC > 260 Peachtree Street NW > Suite 2200 > Atlanta, GA 30303 > Tel: +1-678-954-0670 > Fax: +1-404-961-1892 > Web: http://www.evaristesys.com/ > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
