Sponsors

Saturday, October 23, 2010

Using VoIP with a Credit Card Processing Terminal is Risky Business

Processing Credit Card Payments Using Credit Card Terminals with VoIP / Digital Phone Lines Is Not PCI Complaint



Millions of people running small businesses; especially home based businesses, also have VoIP (Voice over Internet Protocol) / Digital Phone Line services from their Internet Service Provider (ISP) in their homes and businesses. Many also use Point-of-Sale Terminals made initally for old fashion phone lines; not Digital Lines. If you are a merchant and use a card processing terminal which connects via VoIP or Digital Phone Lines to transmit and process credit card payments, then you are not PCI (Payment Card Industry) compliant; you are at risk of losing your credit card processing privileges or can be sued by your customers whose data is stolen. Credit Card data that is processed over VoIP services are transmitted in the clear over Public Networks (The Internet) and their is no way to encrypt the data.

Excellent article on this topic can be found at The Merchant Account Blog:

Note: Most VoIP providers do not utilize encryption

When these terminals are connected to a true analog phone line the merchant is operating within PCI Compliance. This is so because it is very unlikely that data can be stolen over an old fashion telephone line while processing credit card payments. An attacker would have to tap into your home or business phone line to steal credit card data and that is highly unlikely to happen so this is rated as very low risk.

VoIP is very susceptible to Man-in-the-middle attacks, where an attacker can eavesdrop or alter the originating message by anyone on the internet; in this case capturing your customers sensitive credit card information. Most credit card phone line processing terminals won't work over VoIP services because of dropped packets, but even failed attempts to try and process credit cards over VoIP could lead to an attacker stealing customer credit card data. See diagram below.

Man In The Middle Attack



Work Around To Be PCI Compliant

Many of these credit card terminals also have an Ethernet Port (RS232) and can easily process customer credit card payments via an encrypted connection over the internet. You may need to contact your credit card processing provider to help you get it setup; usually at no additional cost! See picture below.



Another work around is to switch to a Wireless Credit Card Terminal. Note, these terminals incurre higher business expenses as compared to a dial-up phone line terminal. These terminals use GPRS/ Cell phone technology just like moble phones do to securely connect and encrypt the credit card transaction, which is PCI compliant. A wireless credit card processing terminal is great for businesses who sell goods or services on the road. See Wireless Credit Card Terminal below.

More Secure and Convenient Credit Card Processing Method

Wireless Credit Card Processing Terminal




19 Year Old Demonstrates VoIP Hacking - Scary Stuff!




Be careful out there!

Julius, MBA, CISSP, CISA


9 comments:

  1. Hi, This is excellent information. Thanks for sharing this.

    ReplyDelete
  2. Thanks for sharing the information it was very informative and useful ,You can visit us at http://voipphone-info.blogspot.com/

    ReplyDelete
  3. A versatile, reliable credit card processing service can help your business increase sales by enabling you to accept all forms of payment from anywhere at anytime.

    ReplyDelete
  4. Wow, that video is something else. Good thing I've switched my business to a more secure payment processing system. I agree with the author of this post that small businesses in particular should be aware of the ease in which their financial security can be compromised.

    ReplyDelete
  5. Security measures are now the first priority to make the transaction secure and smooth. The new applications and tools have the sound structure to make it sure.

    ReplyDelete
  6. The credit card terminal will encrypt the data so even of the voip protocol that acts as a transport layer is not encrypted the communication will be secure. It is vulnerable to man in the middle attacks as ALL secure communications done over the internet (using SSL), the encryption schemes are strong enough to handle that.

    ReplyDelete
  7. A wonderful post on the pitfalls of the Credit Card Payment Processing highlighted some new issues in my knowledge and thus made itmore easy to pay attention on selecting credit card.

    ReplyDelete
  8. Hello,

    This is so because it is very unlikely that data can be stolen over an old fashion telephone line while processing credit card payments. An attacker would have to tap into your home or business phone line to steal credit card data and that is highly unlikely to happen so this is rated as very low risk.it more easy to pay attention on selecting credit card.

    Merchant credit card processing

    ReplyDelete

Get Expert Advice!