subject:"Re\: \[cisco\-voip\] PCI DSS compliance for Cisco IPT\/UCCX"

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

2019-01-24 Thread James Buchanan

Shall we also go stone tablets instead of email while we're at it?

Anyway, a few notes:

1. If agents take payments over the phone, you will need to ensure some way
of the customer entering the digits. The agents must not be able to
distinguish the DTMF tones and the tones will need to be entered into a
payments screen of some sort. This is generally a custom development effort.
2. In reference to #1, if agents take payments over the phone, you will
need to ensure your call recording solution has pause/resume capability to
prevent the credit card number from being recording.
3. To avoid being able to sniff the traffic in the CUBE (for self-service
payment scenarios) you may need to harden your CUBE or firewall it.

That's my two cents from a few customers I've assisted in this effort.

Now, some customers will simply not take payments over the phone anymore
and will go fully self-service for credit card payments.

Regarding TLS 1.2, you need to do that one way or the other. Browsers are
beginning to enforce this more and more, and you don't want to be stuck in
the past. Also, any kind of penetration test would note this and have you
fix it. It's not hard, but could require some upgrading (CUCM 10.5 to 11.5,
e.g.).

On Thu, Jan 24, 2019 at 6:16 AM Ki Wi  wrote:

> Hi Group,
> thanks!
> I think TLS 1.2 is pretty tricky and since it is not compulsory now then I
> will avoid it. TLS 1.1 seems good enough for now.
>
> The main problem will revolve around enable voice encryption on existing
> cluster. This will be quite a major effort. If this is deem necessary, I
> will get customer to create a standalone cluster just for UCCX else
> potentially it will cost them more $$ to enable end to end encryption on
> all existing sites.
>
> The PCI compliance consultant they have hired, recommended them to go
> digital phones or analogue phones which is kind of weird.
>
> Regards,
> Ki Wi
>
> On Tue, Jan 22, 2019 at 11:56 PM Ryan Ratliff (rratliff) <
> rratl...@cisco.com> wrote:
>
>> BRKCOL-2009 is a good Cisco Live session entirely dedicated to the impact
>> of PCI requirements on collab (TLS 1.2 particularly).
>>
>> Transport Layer Security (TLS) 1.0 is being deprecated and may not
>> provide the level of security required by an organization anymore. The
>> Payment Card Industry Data Security Standard (PCI DSS) is for example
>> requiring vendors to use newer versions of TLS for encrypted
>> communications. This session will discuss the support of TLS 1.2 in the
>> Cisco On-Premises Collaboration products. It will also cover the ability to
>> disable TLS 1.0 and/or TLS 1.1, the interfaces that are affected by this,
>> and the implications on the Cisco Collaboration solution. Finally, it will
>> discuss limitations when older phones are still used in a environment where
>> TLS 1.0 has been disabled.
>>
>>
>>  - Ryan Ratliff
>>
>> On Jan 22, 2019, at 8:18 AM, Lamont, Joshua 
>> wrote:
>>
>> The complete guide is located here:
>> https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf
>>
>> This was updated in November for the first time in seven years. If you
>> are a business accepting credit cards this is definitely something you
>> should read through.
>>
>> Joshua Lamont
>> Senior Telecommunications Engineer
>> Brown University
>> office (401) 863-1003
>> cell(401) 749-6913
>>
>>
>> On Tue, Jan 22, 2019 at 7:36 AM Ryan Huff  wrote:
>>
>>> At a high level I’d think you’ll need to look into SRTP (aka voice
>>> encryption) enabled system-wide, no call recording (which you can’t do with
>>> SRTP anyway) and possibly no call monitoring too (at least on the PII
>>> calls).
>>>
>>> Then adhere to all the physical access rules for servers that store or
>>> transmit PII (personally identifiable information).
>>>
>>> You may need to research database storage requirements as it relates to
>>> PCI. I’m assuming the UCCX environment is what will be dealing with the
>>> PII; while UCCX doesn’t have the capacity to outright store CC info, it may
>>> be possible that some of that info is captured in logs, depending on how
>>> your environment is set up.
>>>
>>> You’d have to do a lot of dry runs in the UCCX environment and run all
>>> the calling scenarios that interact with PII to ensure traces of it do not
>>> get logged.
>>>
>>> Obviously nothing can be done to the UCCX database outside of what Cisco
>>> supports, like encrypt table values that aren’t encrypted.. etc
>>>
>>> Sent from my iPhone
>>>
>>> > On Jan 22, 2019, at 01:23, Ki Wi  wrote:
>>> >
>>> > Hi Group,
>>> > I have a customer who is querying on how can we make their existing
>>> Cisco IPT (with UCCX) PCI DSS compliance since the new upcoming site we are
>>> planning to deploy will handle sensitive data such as credit cards
>>> information.
>>> >
>>> > Any folks out there have experience doing this?
>>> >
>>> > Do we need voice encryption? Turn on TLS v1.1 ? etc?
>>> >
>>> > --
>>> > Regards,
>>> > Ki Wi
>>>

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

2019-01-23 Thread Ki Wi

Hi Group,
thanks!
I think TLS 1.2 is pretty tricky and since it is not compulsory now then I
will avoid it. TLS 1.1 seems good enough for now.

The main problem will revolve around enable voice encryption on existing
cluster. This will be quite a major effort. If this is deem necessary, I
will get customer to create a standalone cluster just for UCCX else
potentially it will cost them more $$ to enable end to end encryption on
all existing sites.

The PCI compliance consultant they have hired, recommended them to go
digital phones or analogue phones which is kind of weird.

Regards,
Ki Wi

On Tue, Jan 22, 2019 at 11:56 PM Ryan Ratliff (rratliff) 
wrote:

> BRKCOL-2009 is a good Cisco Live session entirely dedicated to the impact
> of PCI requirements on collab (TLS 1.2 particularly).
>
> Transport Layer Security (TLS) 1.0 is being deprecated and may not provide
> the level of security required by an organization anymore. The Payment Card
> Industry Data Security Standard (PCI DSS) is for example requiring vendors
> to use newer versions of TLS for encrypted communications. This session
> will discuss the support of TLS 1.2 in the Cisco On-Premises Collaboration
> products. It will also cover the ability to disable TLS 1.0 and/or TLS 1.1,
> the interfaces that are affected by this, and the implications on the Cisco
> Collaboration solution. Finally, it will discuss limitations when older
> phones are still used in a environment where TLS 1.0 has been disabled.
>
>
>  - Ryan Ratliff
>
> On Jan 22, 2019, at 8:18 AM, Lamont, Joshua 
> wrote:
>
> The complete guide is located here:
> https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf
>
> This was updated in November for the first time in seven years. If you are
> a business accepting credit cards this is definitely something you should
> read through.
>
> Joshua Lamont
> Senior Telecommunications Engineer
> Brown University
> office (401) 863-1003
> cell(401) 749-6913
>
>
> On Tue, Jan 22, 2019 at 7:36 AM Ryan Huff  wrote:
>
>> At a high level I’d think you’ll need to look into SRTP (aka voice
>> encryption) enabled system-wide, no call recording (which you can’t do with
>> SRTP anyway) and possibly no call monitoring too (at least on the PII
>> calls).
>>
>> Then adhere to all the physical access rules for servers that store or
>> transmit PII (personally identifiable information).
>>
>> You may need to research database storage requirements as it relates to
>> PCI. I’m assuming the UCCX environment is what will be dealing with the
>> PII; while UCCX doesn’t have the capacity to outright store CC info, it may
>> be possible that some of that info is captured in logs, depending on how
>> your environment is set up.
>>
>> You’d have to do a lot of dry runs in the UCCX environment and run all
>> the calling scenarios that interact with PII to ensure traces of it do not
>> get logged.
>>
>> Obviously nothing can be done to the UCCX database outside of what Cisco
>> supports, like encrypt table values that aren’t encrypted.. etc
>>
>> Sent from my iPhone
>>
>> > On Jan 22, 2019, at 01:23, Ki Wi  wrote:
>> >
>> > Hi Group,
>> > I have a customer who is querying on how can we make their existing
>> Cisco IPT (with UCCX) PCI DSS compliance since the new upcoming site we are
>> planning to deploy will handle sensitive data such as credit cards
>> information.
>> >
>> > Any folks out there have experience doing this?
>> >
>> > Do we need voice encryption? Turn on TLS v1.1 ? etc?
>> >
>> > --
>> > Regards,
>> > Ki Wi
>> > ___
>> > cisco-voip mailing list
>> > cisco-voip@puck.nether.net
>> >
>> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voipdata=02%7C01%7C%7Cb9218ac35b024bba75db08d680321fbe%7C84df9e7fe9f640afb435%7C1%7C0%7C636837350098382558sdata=%2Fb%2BfDpOqy2BHdBZ%2F%2F%2B%2BYB7FyBrE4lznDiRI1dlwChC4%3Dreserved=0
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>

-- 
Regards,
Ki Wi
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

2019-01-22 Thread Ryan Ratliff (rratliff) via cisco-voip

BRKCOL-2009 is a good Cisco Live session entirely dedicated to the impact of 
PCI requirements on collab (TLS 1.2 particularly).

Transport Layer Security (TLS) 1.0 is being deprecated and may not provide the 
level of security required by an organization anymore. The Payment Card 
Industry Data Security Standard (PCI DSS) is for example requiring vendors to 
use newer versions of TLS for encrypted communications. This session will 
discuss the support of TLS 1.2 in the Cisco On-Premises Collaboration products. 
It will also cover the ability to disable TLS 1.0 and/or TLS 1.1, the 
interfaces that are affected by this, and the implications on the Cisco 
Collaboration solution. Finally, it will discuss limitations when older phones 
are still used in a environment where TLS 1.0 has been disabled.

 - Ryan Ratliff

On Jan 22, 2019, at 8:18 AM, Lamont, Joshua 
mailto:joshua_lam...@brown.edu>> wrote:

The complete guide is located here: 
https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf

This was updated in November for the first time in seven years. If you are a 
business accepting credit cards this is definitely something you should read 
through.

Joshua Lamont
Senior Telecommunications Engineer
Brown University
office (401) 863-1003
cell(401) 749-6913

On Tue, Jan 22, 2019 at 7:36 AM Ryan Huff 
mailto:ryanh...@outlook.com>> wrote:
At a high level I’d think you’ll need to look into SRTP (aka voice encryption) 
enabled system-wide, no call recording (which you can’t do with SRTP anyway) 
and possibly no call monitoring too (at least on the PII calls).

Then adhere to all the physical access rules for servers that store or transmit 
PII (personally identifiable information).

You may need to research database storage requirements as it relates to PCI. 
I’m assuming the UCCX environment is what will be dealing with the PII; while 
UCCX doesn’t have the capacity to outright store CC info, it may be possible 
that some of that info is captured in logs, depending on how your environment 
is set up.

You’d have to do a lot of dry runs in the UCCX environment and run all the 
calling scenarios that interact with PII to ensure traces of it do not get 
logged.

Obviously nothing can be done to the UCCX database outside of what Cisco 
supports, like encrypt table values that aren’t encrypted.. etc

Sent from my iPhone

> On Jan 22, 2019, at 01:23, Ki Wi 
> mailto:kiwi.vo...@gmail.com>> wrote:
>
> Hi Group,
> I have a customer who is querying on how can we make their existing Cisco IPT 
> (with UCCX) PCI DSS compliance since the new upcoming site we are planning to 
> deploy will handle sensitive data such as credit cards information.
>
> Any folks out there have experience doing this?
>
> Do we need voice encryption? Turn on TLS v1.1 ? etc?
>
> --
> Regards,
> Ki Wi
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voipdata=02%7C01%7C%7Cb9218ac35b024bba75db08d680321fbe%7C84df9e7fe9f640afb435%7C1%7C0%7C636837350098382558sdata=%2Fb%2BfDpOqy2BHdBZ%2F%2F%2B%2BYB7FyBrE4lznDiRI1dlwChC4%3Dreserved=0
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

2019-01-22 Thread Lamont, Joshua

The complete guide is located here:
https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf

This was updated in November for the first time in seven years. If you are
a business accepting credit cards this is definitely something you should
read through.

Joshua Lamont
Senior Telecommunications Engineer
Brown University
office (401) 863-1003
cell(401) 749-6913


On Tue, Jan 22, 2019 at 7:36 AM Ryan Huff  wrote:

> At a high level I’d think you’ll need to look into SRTP (aka voice
> encryption) enabled system-wide, no call recording (which you can’t do with
> SRTP anyway) and possibly no call monitoring too (at least on the PII
> calls).
>
> Then adhere to all the physical access rules for servers that store or
> transmit PII (personally identifiable information).
>
> You may need to research database storage requirements as it relates to
> PCI. I’m assuming the UCCX environment is what will be dealing with the
> PII; while UCCX doesn’t have the capacity to outright store CC info, it may
> be possible that some of that info is captured in logs, depending on how
> your environment is set up.
>
> You’d have to do a lot of dry runs in the UCCX environment and run all the
> calling scenarios that interact with PII to ensure traces of it do not get
> logged.
>
> Obviously nothing can be done to the UCCX database outside of what Cisco
> supports, like encrypt table values that aren’t encrypted.. etc
>
> Sent from my iPhone
>
> > On Jan 22, 2019, at 01:23, Ki Wi  wrote:
> >
> > Hi Group,
> > I have a customer who is querying on how can we make their existing
> Cisco IPT (with UCCX) PCI DSS compliance since the new upcoming site we are
> planning to deploy will handle sensitive data such as credit cards
> information.
> >
> > Any folks out there have experience doing this?
> >
> > Do we need voice encryption? Turn on TLS v1.1 ? etc?
> >
> > --
> > Regards,
> > Ki Wi
> > ___
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net
> >
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voipdata=02%7C01%7C%7Cb9218ac35b024bba75db08d680321fbe%7C84df9e7fe9f640afb435%7C1%7C0%7C636837350098382558sdata=%2Fb%2BfDpOqy2BHdBZ%2F%2F%2B%2BYB7FyBrE4lznDiRI1dlwChC4%3Dreserved=0
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

2019-01-22 Thread Ryan Huff

At a high level I’d think you’ll need to look into SRTP (aka voice encryption) 
enabled system-wide, no call recording (which you can’t do with SRTP anyway) 
and possibly no call monitoring too (at least on the PII calls).

Then adhere to all the physical access rules for servers that store or transmit 
PII (personally identifiable information).

You may need to research database storage requirements as it relates to PCI. 
I’m assuming the UCCX environment is what will be dealing with the PII; while 
UCCX doesn’t have the capacity to outright store CC info, it may be possible 
that some of that info is captured in logs, depending on how your environment 
is set up.

You’d have to do a lot of dry runs in the UCCX environment and run all the 
calling scenarios that interact with PII to ensure traces of it do not get 
logged.

Obviously nothing can be done to the UCCX database outside of what Cisco 
supports, like encrypt table values that aren’t encrypted.. etc

Sent from my iPhone

> On Jan 22, 2019, at 01:23, Ki Wi  wrote:
> 
> Hi Group,
> I have a customer who is querying on how can we make their existing Cisco IPT 
> (with UCCX) PCI DSS compliance since the new upcoming site we are planning to 
> deploy will handle sensitive data such as credit cards information.
> 
> Any folks out there have experience doing this?
> 
> Do we need voice encryption? Turn on TLS v1.1 ? etc? 
> 
> -- 
> Regards,
> Ki Wi
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voipdata=02%7C01%7C%7Cb9218ac35b024bba75db08d680321fbe%7C84df9e7fe9f640afb435%7C1%7C0%7C636837350098382558sdata=%2Fb%2BfDpOqy2BHdBZ%2F%2F%2B%2BYB7FyBrE4lznDiRI1dlwChC4%3Dreserved=0
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

Re: [cisco-voip] PCI DSS compliance for Cisco IPT/UCCX

5 matches

Site Navigation

Mail list logo

Footer information