I am looking to achieve PCI compliance for my networking infrastructure, which includes CCX, currently runnng version 4.1 with IVR being used for credit card authentication. Not really sure where to start on this, so if anybody has any pointers on how the requirements for PCI compliance translates to what we actually need to do to the server, that would be much appreciated.
Sorry to resurrect this thread, but I'm going through this right now and I wanted to put in my findings.
Unless everyone involved in the audit lacks in-depth knowledge of how UCCX works, there is no way to be declared compliant in taking PCI without significant comp controls in place when taking credit cards via IVR in UCCX. I am not an auditor or a security expert, to be clear. I've been led to believe that with significant comp controls in place (burdensome) you could get through but that might depend on the auditor.
Here is why:
1) UCCX requires Digits be passed out of band using CTI from UCM. UCCX does not support Secure CTI Signaling, so this is passed un-encrypted. Cisco has never signaled intent to change this with UCCX.
2) When UCCX submits the PCI to a payment processor or a web application, it will do so via HTTP. You can get UCCX to use HTTPS for these script editor steps with some blood, sweat, and tears, but it appears current versions are vulnerable to various issues in TLS, some more so than others, including fallback attacks.
Also, if you're using a gateway that passes DTMF to CUCM in anything other than inband with an MTP, you're also sending those key presses in the signaling channel. This means if you're not encrypting your signaling channel you're also at risk of failing.
Unfortunately not all gateway protocols are created equally, and each gateway protocol will have its own level of vulnerability on the signaling channel. Your best bet is using SIP and force TLS 1.2 the signaling transport security protocol.
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...
This document describe how DST changes and how time changes are
implemented in DST. Daylight Saving Time (DST) is the practice of
setting the clocks forward 1 hour from standard time during the summer
months, and back again in the fall, in order to make b...