vicidial.org

[joebiden]

Hi,

Does a VICIdial can be a PCI compliant? using IVR so the customer can input his/her card details, then will be forwarded to the agent with the number being masked while the data is saved to the VICIdial?

[williamconley]

Vicidial does have a park-call method to acquire CC details. But PCI compliance is a bit more complex than that. Note that the data in question will still exist in one form or another in various asterisk/astguiclient logs in addition to wherever you choose to store it in your database (which is personalized). But the ability to transfer a call to a non-recorded IVR to get a CC and then return to the agent is an old method which has been in Vicidial for quite some time. However, it's not ... simple.

http://www.vicidial.org/VICIDIALforum/v ... hp?t=15379

[mflorell]

"PCI Compliant" means several different things, and the requirements actually depend on how big of a company you are and how much credit card processing that you do in a year.

There are basically 3 main components:
- Network security
- Physical security and access control
- Data storage


Most companies that claim "PCI Compliant" on their websites are only compliant with the first component, which is verified by a web-scanning service pointed at one of the webservers they operate.

The other components require a third party company to inspect and validate the requirements for the target company. I've been through the process with a few companies for their premise setups, and the one that let me know the price said it ended up costing them over $300,000 before it was all done and they were certified as PCI Compliant in all areas.

As for VICIdial, it really depends on where your system is set up and your maintenance schedule for updates.

As for our hosting service, VICIhost, we are hosted in a secure facility and we do offer encrypted custom fields(at rest) for sensitive data storage, both of which can be compliant with PCI requirements, depending on the size of your company and your processing volume.

[joebiden]

As of now any version of VICIdial functions is not yet PCI compliant ready?

[williamconley]

None of Vicidial is PCI Compliant.

Networking: Vicidial is not a networking package. It's a dialer package. Vicidial resides in an environment that may or may not be PCI compliant for networking purposes, but the networking compliance diagnoses will not be against Vicidial itself, but the environment in which it resides.

Physical security and access control: Vicidial itself resides in a server. Physical access to the server is not part of "Vicidial" itself.

Data Storage: Vicidial is not a hardened application and is subject to internal security issues from a "hacker on staff". It can be hardened, but is not hardened by default. There are some not-insigificant configuration modifications necessary to declare Vicidial impossible to hack (for PCI compliance purposes) and to avoid storage of sensitive information (even temporarily). If you require/intend to become PCI compliant at a level beyond networking: I strongly urge you to contact The Vicidial Group directly before you engage. Spending enough to get a basic diagnosis from them may save you a huge headache down the road. PoundTeam Incorporated has been involved in some pieces of the puzzle, but never All The Way Through. Most of the work for sensitive portions was intentionally offloaded to other systems (which were already PCI compliant/certified) to avoid the cost of making one individual Vicidial cluster compliant on a short schedule and budget.

[joebiden]

Hi,

Thanks for the info