Before we delve into understandingVoice over Internet Protocol (VoIP) and data security on VoIP systems, heres a quick introduction to PCI DSS payment card data security standards.

The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The PCI security standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of credit card payment transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

More information on PCI DSS Compliance

 

What is VoIP?

Voice over Internet Protocol (VoIP), is a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line.

With VoIP, analog voice calls are converted into packets of data. The packets travel like any other type of data, such as e-mail, over the public Internet and/or any private Internet Protocol (IP) network.

VoIP has become an important component of modern corporate communications, and many enterprises depend entirely on it for voice and multimedia. VoIP services are making the shift to mobile in a big way. Its estimated that there were approximately 1 billion mobile VoIP users at the end of 2017, and that number is only going to grow in coming years as the upcoming 5G mobile data standard comes closer to implementation. Mobile VoIP lets users connect to WiFi and use data networks to place calls, and also grants access to all of the features of the users VoIP network.

 

Do PCI DSS requirements apply to VoIP?

VoIP is definitely in scope for PCI DSS compliance if VoIP transmits sensitive authentication (SAD) or cardholder data (CHD) using VoIP data or audio/voice recordings packets.

 

Benefits of using VoIP

VoIP provides an effective channel for voice and multimedia communications at lower cost and with greater flexibility. Advantages of VoIP include toll bypass, network consolidation and service convergence. Thousands of dollars are saved for large enterprises by placing long distance calls over an IP network instead of traditional telephone system. Network consolidation enables the transmission of data, voice, and video over one single network. The integration greatly reduces setup and maintenance costs. With service convergence, enhanced functionality can be implemented through coupling of multimedia services.

 

Risks of using VoIP

Since VoIP uses the IP protocol, it is vulnerable to the usual attacks that are used against public internet networks by hackers, malware, etc. With VoIP, opportunities for eavesdroppers increase dramatically, because of the many nodes in a packet network.

Failure to enforce adequate separation between voice and data circuits implies that if either one were to be compromised, the enterprise would be exposed to the partial or complete loss of both critical functions. There are multiple tools exist that potentially could query a variety of digital recordings.

Failure to design and manage effective VoIP controls could result in:

• Destruction or loss of enterprise data due to penetration from unprotected VoIP networks
• Disclosure of sensitive data sent across public networks

Many of the VoIP devices in their default configuration may have a variety of exposed TCP and UDP ports. The default services running on the open ports may be vulnerable to [denial-of-service], buffer overflows, or weak passwords, which may result in compromising the VoIP devices.

The dependence on VoIP communications implies a direct or indirect impact on:

• Legal and compliance issues. Risk of transmitting sensitive personal identifiable information (PII) in VoIP messages. Risk of a data breach in violation of the US Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) requirements.

 

24 ways you can protect payment card data from unauthorized access or theft:

1. As always, if there’s no business need to store payment card data, avoid storing this sensitive data in your environment.
2. Businesses should never store Sensitive Authentication Data (SAD), such as the customer’s card verification code after card authorization. Storing SAD, even if it is encrypted, is a clear violation of PCI DSS data security standard requirements. It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried
3. Do not store queryable/readable full primary account numbers (PAN) without techniques to render them unreadable and protected.
4. If it is absolutely necessary for the business to store the card data in digital audio or video format (e.g., WAV, MP3, MPG, etc.) or other forms, physical and logical protections defined in PCI DSS must still be applied to these data recording formats.
5. Ensure that a data disposal procedure is in place, limiting the amount of time that card information is kept on the quality assurance (QA)/recording server and customer relationship management (CRM) solution databases (both voice and screen recordings). This requirement does not supersede local or regional laws that may govern the retention of audio recordings.
6. If the VoIP based card data processing, transmission or storage services are outsourced to service providers such as call centers, ensure that the call center or service provider complies with all PCI DSS compliance requirements.
7. Use only those consumer or enterprise VoIP systems that provide strong cryptography. Use analog telephone lines when a VoIP telephone system does not provide strong cryptography.
8. Ensure that transmission of cardholder data across public networks is encrypted using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS 1.2), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks.
9. Ensure strong authentication controls for all personnel with access to call recordings using Virtual Private Network (VPN) with SSL/TLS.
10. Ensure that there are no direct connections between systems storing audio recordings and the Internet.
11. Ensure systems are maintained to secure configuration standards and are regularly tested for vulnerabilities.
12. Ensure at-home/remote agent and supervisor PCs have personal firewalls installed and operational.
13. Ensure at-home/remote agents and supervisor PCs have the latest version of the corporate virus protection software and definition files.
14. Ensure at-home/remote agent and supervisor PCs have the latest approved security patches installed.
15. Ensure that agents and supervisors use only company-approved systems.
16. If telecommuters are permitted to access the VoIP PBX over the Internet, they must access using an encrypted VPN tunnel with strong user authentication.
17. Encrypt VoIP phones and implement MAC-binding to prevent internal attacks such as plugging in rogue unauthorized laptops with softphones or other VoIP phones to a VoIP network to intercept voice packets.
18. Verify that all VoIP-related administrative passwords (and encryption/decryption keys, where appropriate) have been changed from the manufacturers default values.
19. Verify that administrative passwords and encryption/decryption keys are known only to a restricted list of trusted personnel.
20. Determine that emergency copies of all administrative passwords and encryption/decryption keys are kept in a secure location with restricted access.
21. Determine that VoIP policies and standards are reviewed at least annually and updated as required
22. Deploy network segmentation using firewalls to separate voice network from data network and card data network from other untrusted networks.
23. An intrusion detection system (IDS) can assist in monitoring the network for any anomalies or potential abuses. Early warnings are key to preventing larger attacks.
24. Deploy network configuration and network security by implementing the following:
    1. Limit Port Access to VoIP Servers
    2. VoIP Is Configured for Secure External Access requiring an AeS encrypted VPN tunnel with strong authentication requirements
    3. Restricted and monitored physical access to VLAN hardware and sensitive devices, such as VLAN switches, restricting access to a small number of trusted individuals on a strict need to know basis.

 

Download Our PCI DSS Checklist

Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.

References:

PCI SSC: Protecting Telephone Based Payment Card Data
https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

NIST CSRC: Security Considerations for Voice Over IP Systems
https://csrc.nist.gov/publications/detail/sp/800-58/final

Enterprise Systems Journal:https://esj.com