PCI DSS Article Number 1153 released October 2012 is pretty clear about whether or not VoIP is in or out of scope for PCI compliance and a lot of companies have designed their UC solutions that need to be PCI compliant around these guidelines.
However, things are changing once again. PCI DSS 3 comes into effect June 31 2018 and has introduced quite a significant change in security requirements.
In simple terms in order to be PCI DSS 3 compliant you must not offer nor allow the use of any level lower than TLS 1.2 on their network. You must therefore be able to disable TLS 1.0, 1.1 and SSL 3.0 and lower protocols from your network and admin portals.
What is the risk?
SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE-2014-3566) that may allow attackers to extract data from secure connections. More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it’s possible to decrypt an encrypted message secured by SSL v3.0.
The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol.
The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2. Note that not all implementations of TLS v1.1 are considered secure – refer to NIST SP 800-52 rev 1 for guidance on secure TLS configurations.
How does this affect VoIP and IP Telephony
The image below outlines the TLS relationships between entities in a VoIP solutions. This scenario is not restricted to Cisco solutions but all vendors. Phones use TLS to draw down load files and configuration information. The call control uses TLS to communicate with other control elements within the cluster, and the administrator will use TLS to create a secure channel to manage and modify the UC components.
From a Cisco perspective there will be two versions of Cisco Unified Communications Manager and IM&P that will only support TLS 1.2 namely CUCM 12 and CUCM 11.5.1(su3). For pure PCI compliance i.e. TLS 1.1 and TLS 1.0 disabled, you must be on these versions.
The range of legacy phones (79XX etc) will not be TLS 1.2 compliant and will need to be upgraded to the newer 78XX and 88XX range. IP Communicator and the ISR G2 will also not be TLS 1.2 compliant.
The following table lists the versions of software that will be TLS 1.2 (only) compliant and what version you should get to. Note some products will require either a Software change or some will require hardware uplift.
Bear in mind that these regulations only affect scenarios there PCI compliance in required for VoIP networks.