Are You Ready For PCI Compliance Changes June 2018?

Depending on the type of organization you work for, your Unified Communications (UC) systems may be required to be PCI compliant. This is generally the case when credit card transactions are processed on the phone, as is the case in some customer service contact centers. The new release of the Payment Card Industry Data Security Standard (PCI DSS), version 3.2, introduces many significant changes that you should be made aware of. Although the changes in PCI DSS version 3.2 are vast, for this article, we will focus on the new aspects of the standard that directly affect UC systems, namely the migration from Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) versions.

What is PCI DSS Compliance and why is it important

Organizations that process or transmit credit card information must comply with PCI DSS. Failure to comply with version 3.2 could render your organization at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more if a breach occurs.

SSL/TLS vulnerabilities

SSL and TLS are security protocols which encrypt the information sent between web browsers and web servers. However, since the release of SSL v3, unfixable vulnerabilities have been identified which can severely compromise the capabilities of older encryption technology to protect information. These vulnerabilities include FREAK, POODLE, Heartbleed, and WinShock. 

Extended migration dates for SSL/early TLS

Organizations were initially given a deadline of June 30, 2016, to comply with the release of PCI DSS v3.2. But as the deadline approached, the complexities of requirements made it difficult for most organizations to achieve compliance. Fortunately, the deadline to meet compliance was adjusted to June 30, 2018. 

The revisions to PCI DSS v3.2 include:

• All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater.
• Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater. TLS 1.2 is recommended.

Cisco has released software updates for many products to offer support for TLS 1.2

• CUCM/CUC/IM&P 10.5(2)
• UCCX as a:
  • server (web admin, Finesse, CUIC)  10.6(1)SU2 , 11.0(1), 11.0(1)SU1 or 11.5(1)
  • client (to connect to an external integration) 10.6(1)SU3, 11.5(1)SU1 or 11.6(1)
• Expressway X8.8
• Jabber 11.7
• ISR G3 Routers: IOS 15.5(3)M
  • Important Note: ISR G1 and G2 routers will need to be replaced to the next-generation G3, as no IOS release for these platforms are compliant with PCI DSS 3.2.

The following releases allow disabling previous versions of TLS and only use TLS 1.2

• CUCM/CUC/IM&P 11.5(1)SU3 and 12.0
• UCCX as a:
  • server (web admin, Finesse, CUIC)  11.5(1)SU1 or 11.6(1)
  • client (to connect to an external integration) 10.6(1)SU3, 11.5(1)SU1 or 11.6(1)
• Expressway X8.10

Long-time Cisco UC customers running Cisco IP Phones 7900 Series will also be required to upgrade to more recent 7800 or 8800 Series hardware, as no new firmware is released for these older handsets. 

If your organization has any Bluetooth headsets in its environment, you may also need to verify the level of encryption provided. In addition, Cisco IP Communicator (CIPC) will not be TLS 1.2 compliant, so users must migrate to Jabber. 

The Professional and Managed Services teams at ZIRO are fully knowledgeable and have the processes in place to cover every aspect of PCI DSS to help you achieve and maintain compliance, and experts on staff to help you to navigate the process.