PCI Data Security Standard (PCI DSS) Voice Encryption

Matt Dyer profile image
Matt Dyer
Business Transformation Consultant

Private telephony, public cloud, "hybrid agent application" and enabling PBX encryption.

PCI Data Security Standard (PCI DSS) Voice Encryption

Private Telephony and Public Cloud

In a Contact Centre environment where your business handles payment transactions over the phone and voice traverses over an open or public network typically to a Cloud based Application the PCI Data Security Standard (PCI DSS) Version 2.0 March 2011″ document guides you to encrypt the voice.

Advances in Technology “Hybrid Agent Application”

Moreover, with the advances in technology from both a strategic and tactical position and to further reduce fraud rates and protect both your customers and the merchant, your business should be looking to automate the collection of card payments using an Automated IVR to mimic the role played by a Customer Service Agent in terms of collecting payment. SABIO use our “Hybrid Agent Application” to deliver this capability.

Enabling PBX Encryption

Turning on encryption and securing voice on your Enterprise PBX should be relatively straightforward, but be mindful of other applications that acquire Voice from the PBX such as Call Recording or Third Party IVR applications as they may no longer work as a result of encrypting the voice.

On the AVAYA fabric the SRTP is typically enabled via 1-srtp-aescm128-hmac80 encryption cipher which adds roughly 10 additional bytes per packet which equates to a nominal 4Kbps of payload per voice packet. On the AVAYA platform the latest technology means there is no impact to DSP capacity.

Call Centres will need to ensure that transmission of cardholder data across public networks is encrypted.

This is part of PCI DSS Requirement 4 and includes:

  • Using strong encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS), Secure Shell (SSH), or Internet Protocol Security (IPsec) to secure transmission of any cardholder data over public networks, including:
  • Both wired and wireless networks used by at-home/remote agents and supervisors. For example, via a Virtual Private Network (VPN) with SSL/TLS. Please note that Wired Equivalent Privacy (WEP) protocol is no longer permissible as a security control for wireless networks
  • Any public network segments used to carry or send screen or voice recordings
  • Voice or data streams over Voice over IP (VoIP) telephone systems, whenever sent over an open or public network. Note that only those consumer or enterprise VoIP systems that provide strong cryptography should be used
  • Requiring agents to use analog telephone lines when a VoIP telephone system does not provide strong cryptography
  • Ensuring that payment card information is never sent over an unencrypted, end-user messaging medium such as chat, SMS (Simple Messaging System)/text or e-mail, or other non-encrypted communication channels
  • As a best practice, ensuring that stored recordings are not played back over a speakerphone if payment card information is included
Tags: Sign up for our Newsletter
Start your journey with Sabio
If you're interested in developing more efficient and effective
customer experience for your business, our team of experts it always on hand to help.
Get in touch
Did you know?
Sabio is Spanish for 'wise', and is associated with King Alfonso X 'El Sabio' (1221-1284).
The name Sabio reflects the importance we place on the quest for knowledge, achievement and embracing the benefits of the diversity.
Discover more about Sabio