[SOLVED] Taking CC Payments over RTP instead of SRTP and PCI Compliance?

Taking CC Payments over RTP instead of SRTP and PCI Compliance?

I couldn't find any information on this with a straight forward answer. I may have been googling the wrong thing.

We have several IVRs and 2 of them accept credit card payments over the phone. Both of those IVRs use RTP instead of SRTP or some secure/encrypt layer. How concerning is this from a security perspective? What are the minimum PCI compliance requirements for those accepting CC payments over VOIP?

We currently use SIP over UDP and not SIPS. For dtmf input we use rfc2833 over RTP.

Solution

Breaking the question in 2 parts:

How concerning is this from a security perspective? It is concerning and it will not pass a PCI audit, the test can be taking or intercepting some of the data transmitted using the RTP connection, can easily be decoded with a DTMF decoder using a range of frequencies (the pair of sinusoidal tones) meaning someone who audits your cloud/private cloud solution when not using encryption will determine per frequency tone which numbers the user pressed:

Visa: 4xxx (first pair of tones detected 770Hz 1209Hz = digit 4)
Mastercard: 51xx, 52xx, 53xx, 54xx, 55xx (first pair of tones detected 770Hz 1336Hz = digit 5)
American Express: 34xx or 37xx (first pair of tones detected 697Hz 1477Hz = digit 3)
Discover: 6011 (first pair of tones detected 770Hz 1477Hz = digit 6)

What are the minimum PCI compliance requirements for those accepting CC payments over VoIP? The minimum are Access Control such as EntraID or Active Directory or your own access control, in this case the IVRs must do that although we are not mainly managing a users as identity or maybe you do, Data Encryption from experience working for Microsoft, you can encrypt the data in transit creating a middleware module or something, the way we did it was with Stripe and some of the .Net packages cause we were using SRTP with Microsoft Teams Phone which it already includes it (https://learn.microsoft.com/en-us/dotnet/overview/msteams-client) but it may not be cost-effective if the number of transactions are low, combine it with a Plan for Security or Cybersecurity incident, use self external vulnerability scans such as hiring a company that as well does audits for PCI. Many other requirements: https://stripe.com/en-us/guides/pci-compliance but as Stripe concludes as well, having all that is still not enough for the users, but it is good enough for the audit, during audit make sure you have an internal audit plan in place cause they may ask for it as well (Regular Security Testing), the source code of your solution must as well use encryption such as libffi, BCrypt or certificate based, anything that can change easy the real pair of dual tone to an encrypted version of them (you can use this example but it requires changes to encrypt the information before processing it https://github.com/hfeeki/dtmf/blob/master/dtmf-decoder.py cause this one itself won't pass the audit) during the audit they may ask to see the source code of the solution to ensure it is PCI compliance, I would have ask them to sign an NDA. Or change the encryption modules after the audit as well.