VICIdial PCI Compliant

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

VICIdial PCI Compliant

Postby joebiden » Tue Apr 30, 2019 4:44 pm

Hi,

Does a VICIdial can be a PCI compliant? using IVR so the customer can input his/her card details, then will be forwarded to the agent with the number being masked while the data is saved to the VICIdial?
VERSION: 2.14-705a BUILD: 190327-2311 | Asterisk 13.21.1-vici | Clustered Server No Digium/Sangoma Hardware | No Extra Software After Installation
joebiden
 
Posts: 23
Joined: Wed Apr 17, 2019 3:43 pm

Re: VICIdial PCI Compliant

Postby williamconley » Tue Apr 30, 2019 5:04 pm

Vicidial does have a park-call method to acquire CC details. But PCI compliance is a bit more complex than that. Note that the data in question will still exist in one form or another in various asterisk/astguiclient logs in addition to wherever you choose to store it in your database (which is personalized). But the ability to transfer a call to a non-recorded IVR to get a CC and then return to the agent is an old method which has been in Vicidial for quite some time. However, it's not ... simple.

http://www.vicidial.org/VICIDIALforum/v ... hp?t=15379
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIdial PCI Compliant

Postby mflorell » Tue Apr 30, 2019 6:37 pm

"PCI Compliant" means several different things, and the requirements actually depend on how big of a company you are and how much credit card processing that you do in a year.

There are basically 3 main components:
- Network security
- Physical security and access control
- Data storage


Most companies that claim "PCI Compliant" on their websites are only compliant with the first component, which is verified by a web-scanning service pointed at one of the webservers they operate.

The other components require a third party company to inspect and validate the requirements for the target company. I've been through the process with a few companies for their premise setups, and the one that let me know the price said it ended up costing them over $300,000 before it was all done and they were certified as PCI Compliant in all areas.

As for VICIdial, it really depends on where your system is set up and your maintenance schedule for updates.

As for our hosting service, VICIhost, we are hosted in a secure facility and we do offer encrypted custom fields(at rest) for sensitive data storage, both of which can be compliant with PCI requirements, depending on the size of your company and your processing volume.
mflorell
Site Admin
 
Posts: 18384
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: VICIdial PCI Compliant

Postby joebiden » Wed May 01, 2019 10:14 am

As of now any version of VICIdial functions is not yet PCI compliant ready?
VERSION: 2.14-705a BUILD: 190327-2311 | Asterisk 13.21.1-vici | Clustered Server No Digium/Sangoma Hardware | No Extra Software After Installation
joebiden
 
Posts: 23
Joined: Wed Apr 17, 2019 3:43 pm

Re: VICIdial PCI Compliant

Postby williamconley » Wed May 01, 2019 12:42 pm

None of Vicidial is PCI Compliant.

Networking: Vicidial is not a networking package. It's a dialer package. Vicidial resides in an environment that may or may not be PCI compliant for networking purposes, but the networking compliance diagnoses will not be against Vicidial itself, but the environment in which it resides.

Physical security and access control: Vicidial itself resides in a server. Physical access to the server is not part of "Vicidial" itself.

Data Storage: Vicidial is not a hardened application and is subject to internal security issues from a "hacker on staff". It can be hardened, but is not hardened by default. There are some not-insigificant configuration modifications necessary to declare Vicidial impossible to hack (for PCI compliance purposes) and to avoid storage of sensitive information (even temporarily). If you require/intend to become PCI compliant at a level beyond networking: I strongly urge you to contact The Vicidial Group directly before you engage. Spending enough to get a basic diagnosis from them may save you a huge headache down the road. PoundTeam Incorporated has been involved in some pieces of the puzzle, but never All The Way Through. Most of the work for sensitive portions was intentionally offloaded to other systems (which were already PCI compliant/certified) to avoid the cost of making one individual Vicidial cluster compliant on a short schedule and budget.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIdial PCI Compliant

Postby joebiden » Fri May 10, 2019 3:07 pm

Hi,

Thanks for the info
VERSION: 2.14-705a BUILD: 190327-2311 | Asterisk 13.21.1-vici | Clustered Server No Digium/Sangoma Hardware | No Extra Software After Installation
joebiden
 
Posts: 23
Joined: Wed Apr 17, 2019 3:43 pm


Return to Support

Who is online

Users browsing this forum: No registered users and 80 guests