Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
1
Replies

PCI compliance question

Colin Higgins
Level 2
Level 2

‎10-17-2013 06:06 PM - edited ‎02-21-2020 05:01 AM

There is some disagreement among members of my IT staff over a PCI-compliance scenario.

I have two networks connected through an intermediate corporate network. One of the networks resides behind a firewall (FWSM) and a F5 with a layer 7 firewall. Clients access a secure application through the F5 and firewall.

The other network is also behind firewalls (ASA pair with IPS), and that is where the clients who access the secure application reside. That network also invloves layer-2 security and lots of monitoring, etc.

There are two redundant links through the intermediate corporate network to get to the first network. All of the traffic between client and secure application is via https.

One of the engineers is insisting that these two networks have to be directly, physically connected. In other words, the WAN links would have to literally terminate on the firewalls on both sides (the connections are metro-ethernet through AT&T). He says we cannot send traffic through any devices on the corporate network that are not behind firewalls, even though the data is heavily encrypted.

This would involve serious technological hurdles, as the networks are geographically apart, and I need to run routing protocols to provide failover.

Is the engineer correct in terms of PCI compliance, or does this sound like a good setup?

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-18-2013 09:09 AM

Caveat - I'm not a PCI QSA (auditor) but I do have a fair amount of network security experience, including having worked for a merchant required to meet PCI compliance.

The traffic in transit needs to be secured - your https is accomplishing that (assumption - you're using protected client workstaitons, trusted certificates, strong ciphers only etc.). The corporate network across which the transactions travel does not have to be separate. Physical segmentation MAY be one means of additional protection for the data in transit but it is not required.

I recommend having a look at the updated cloud computing PCI DSS guidelines and thinking of your corporate network as kind of a "private cloud" in that context.

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

See also the PCI DSS Requirements standard (page 11) which states:

"Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network."

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card