Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PCI compliance question

There is some disagreement among members of my IT staff over a PCI-compliance scenario.

I have two networks connected through an intermediate corporate network. One of the networks resides behind a firewall (FWSM) and a F5 with a layer 7 firewall. Clients access a secure application through the F5 and firewall.

The other network is also behind firewalls (ASA pair with IPS), and that is where the clients who access the secure application reside. That network also invloves layer-2 security and lots of monitoring, etc.

There are two redundant links through the intermediate corporate network to get to the first network. All of the traffic between client and secure application is via https.

One of the engineers is insisting that these two networks have to be directly, physically connected. In other words, the WAN links would have to literally terminate on the firewalls on both sides (the connections are metro-ethernet through AT&T). He says we cannot send traffic through any devices on the corporate network that are not behind firewalls, even though the data is heavily encrypted.

This would involve serious technological hurdles, as the networks are geographically apart, and I need to run routing protocols to provide failover.

Is the engineer correct in terms of PCI compliance, or does this sound like a good setup?

Hall of Fame Super Silver

Re: PCI compliance question

Caveat - I'm not a PCI QSA (auditor) but I do have a fair amount of network security experience, including having worked for a merchant required to meet PCI compliance.

The traffic in transit needs to be secured - your https is accomplishing that (assumption - you're using protected client workstaitons, trusted certificates, strong ciphers only etc.). The corporate network across which the transactions travel does not have to be separate. Physical segmentation MAY be one means of additional protection for the data in transit but it is not required.

I recommend having a look at the updated cloud computing PCI DSS guidelines and thinking of your corporate network as kind of a "private cloud" in that context.

See also the PCI DSS Requirements standard (page 11) which states:

"Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network."

CreatePlease to create content