Developer Network

« Back to General Discussion - All Versions

PCI Compliance

Combination View

Janine Graves Posts: 1308 Join Date: 5/2/08 Recent Posts	PCI Compliance Answer 9/16/09 3:54 AM Mark as an Answer Submit Reply with Quote Quick Reply Does anyone know if there is documentation on how to make Vxml Server (and CVP) PCI compliant? For example, if I enable secure logging in my studio application, does that make it PCI compliant? Thanks, Janine
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Ranjana Narayan Posts: 124 Join Date: 4/8/08 Recent Posts	RE: PCI Compliance cvp pci Answer 10/12/09 3:01 PM as a reply to Janine Graves. Mark as an Answer Submit Reply with Quote Quick Reply Janine, Currently CVP has not been tested or certified to be PCI compliant, and hence there are no existing documents. The verification against PCI is listed on our to-do. Regards, Ranjana.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Alison A Posts: 9 Join Date: 6/7/10 Recent Posts	RE: PCI Compliance Answer 12/7/10 5:41 PM as a reply to Ranjana Narayan. Mark as an Answer Submit Reply with Quote Quick Reply Janine, Currently CVP has not been tested or certified to be PCI compliant, and hence there are no existing documents. The verification against PCI is listed on our to-do. Regards, Ranjana. Dear Ranjan, I am currently using CVP in the bank and the the CVP has the interfaces to Bank Data on SSL ,my only question is there any starting point for CVP PCI Compliance ...etc ,trying to explore the Security on VXML G/W and PCI stuff, please CC TO ali_ahamed@yahoo.com
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Muhammad Amir Raza Posts: 7 Join Date: 9/4/08 Recent Posts	RE: New Message from ALI AHAMAD S.F. in Customer Voice Portal (CVP) - Gener Answer 12/8/10 2:36 PM as a reply to Alison A. Mark as an Answer Submit Reply with Quote Quick Reply HI Ranjana, Have Cisco tested CVP with PGW2200? Regards, Muhammad Amir Raza
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Peter Iannarelli Posts: 1 Join Date: 4/6/09 Recent Posts	RE: PCI Compliance Answer 12/8/10 8:04 PM as a reply to Janine Graves. Mark as an Answer Submit Reply with Quote Quick Reply PCI compliency is not a factor of CVP nor the Tomcat contained within. It is more a factor of application implementation and the use of security best practicies, knowledge of java garbage collection and of course common sense. Regards, Peter Does anyone know if there is documentation on how to make Vxml Server (and CVP) PCI compliant? For example, if I enable secure logging in my studio application, does that make it PCI compliant? Thanks, Janine
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Benek Ozer Posts: 23 Join Date: 3/10/09 Recent Posts	RE: PCI Compliance Answer 12/8/10 8:41 PM as a reply to Janine Graves. Mark as an Answer Submit Reply with Quote Quick Reply Hi Janine, We recently completed a CVP project where the customer's major concern/requirement was PCI Compliance. They brought their standards into discussions and we took the necessary steps within the application, CVP Server and CVP Server to Gateway communications. Our team's reponsibility was to make sure no sensitive data is logged or sent to Reporting Server (like presonal data, credit card number captured on IVR) The communication between systems were secured with SSL enablement and firewalls built in necessary places. Back end integration was also very secure to the standards. User logins (like OAMP Server web interface login) and passwords were also had confirmed complexity and login timeouts were also standardized. Benek
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Alison A Posts: 9 Join Date: 6/7/10 Recent Posts	RE: PCI Compliance Answer 12/9/10 12:56 AM as a reply to Benek Ozer. Mark as an Answer Submit Reply with Quote Quick Reply Hello Benek, i am working on CVP project ,trying to find issue and gaps to address ,Would you mind sharing your CVP design template or some capacity sip port,security and any other major issues ,CVP is interfacing with Banking data there is quite loads issue i can see and recovery ...... please let me know ali_ahamed@yahoo.com Regards, Hi Janine, We recently completed a CVP project where the customer's major concern/requirement was PCI Compliance. They brought their standards into discussions and we took the necessary steps within the application, CVP Server and CVP Server to Gateway communications. Our team's reponsibility was to make sure no sensitive data is logged or sent to Reporting Server (like presonal data, credit card number captured on IVR) The communication between systems were secured with SSL enablement and firewalls built in necessary places. Back end integration was also very secure to the standards. User logins (like OAMP Server web interface login) and passwords were also had confirmed complexity and login timeouts were also standardized. Benek
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Muhammad Amir Raza Posts: 7 Join Date: 9/4/08 Recent Posts	RE: New Message from ALI AHAMAD S.F. in Customer Voice Portal (CVP) - Gener Answer 12/9/10 4:40 PM as a reply to Muhammad Amir Raza. Mark as an Answer Submit Reply with Quote Quick Reply Yes, tested and verified. check below call flow. 1. PSTN call arrives at the SS7 Switch. The SS7 Switch terminates media to the IOS Media Gateway via E1/T1 and terminates signaling to the ITP via E1/T1. 2. SS7 Switch sends SS7 call to Cisco IP Transfer Point (ITP). 3. ITP converts SS7 call to SS7/IP call. 4. ITP sends SS7/IP call to Cisco PGW 2200 Softswitch. 5. PGW converts SS7/IP call to SIP call. 6. PGW manages and routes the call, sending a SIP invite via the SIP proxy server. 7. The SIP proxy server routes the SIP invite to the Unified CVP Call Server SIP subsystem. 8. The Call Server accepts the SIP invite. 9. The Call Server ICM subsystem sends a route request to the ICM VRU PG. 10. ICM receives the request and runs the appropriate ICM script based on the dialed number label. 11. The ICM script can instruct CVP to manage IVR (play media, get digits, queue to skill group, transfer to agent, etc.). For queue to skill group, when a Unified Communications Manager (UCM) agent becomes available, ICM requests that the CVP Server IVR subsystem transfers the call the selected agent. 12. The Call Server sends a SIP invite via the SIP proxy server. 13. The SIP proxy server routes the SIP invite to the UCM. 14. The UCM accepts the SIP invite and routes the call to the select IP agent phone, connecting the caller to the agent. <font face="Arial" size="1"><font face="Arial" size="1"> </font></font><font face="Arial" size="1"> </font>
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Janine Graves Posts: 1308 Join Date: 5/2/08 Recent Posts	Re: New Message from Benek Ozer in Customer Voice Portal (CVP) - General Di Answer 12/11/10 2:25 AM as a reply to Benek Ozer. Mark as an Answer Submit Reply with Quote Quick Reply Thanks Benek for this information. Can you tell me whether enabling 'Secure Logging' in the Studio application (in the elements that collect caller input, there's a Setting named 'Enable Secure Logging') kept the data from going to the reporting server? I know it keeps it out of the Activity Log. Thanks again, Janine On 12/8/2010 8:41 AM, Cisco Developer Community Forums wrote: > Benek Ozer has created a new message in the forum "General Discussion > - All Versions": > > -------------------------------------------------------------- > Hi Janine, > Â > We recently completed a CVP project where the customer's major > concern/requirement was PCI Compliance. They brought their standards > into discussions and we took the necessary steps within the > application, CVP Server and CVP Server to Gateway communications. > Â > Our team's reponsibility was to make sure no sensitive data is logged > or sent to Reporting Server (like presonal data, credit card number > captured on IVR) The communication between systems were secured with > SSL enablement and firewalls built in necessary places. Back end > integration was also very secure to the standards. User logins (like > OAMP Server web interface login) and passwords were also had confirmed > complexity and login timeouts were also standardized. > Â > Benek > Â > Â > -- > To respond to this post, please click the following link: > > <http://developer.cisco.com/web/cvp/forums/-/message_boards/message/2812744> > > or simply reply to this email. -- Janine Graves
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Benek Ozer Posts: 23 Join Date: 3/10/09 Recent Posts	RE: Re: New Message from Benek Ozer in Customer Voice Portal (CVP) - Genera Answer 12/11/10 1:55 PM as a reply to Janine Graves. Mark as an Answer Submit Reply with Quote Quick Reply Can you tell me whether enabling 'Secure Logging' in the Studio application (in the elements that collect caller input, there's a Setting named 'Enable Secure Logging') kept the data from going to the reporting server? I know it keeps it out of the Activity Log. Hi Janine, The parameters or variables captured or created by elements are written on vxmlelementdetail table on CVP Reporting DB Server. Enabling secure logging also works on reporting data. Normally, some of the element details for a capture element are 'value', 'nbestUtterance1', 'nbestInterpration1' When the same capture element has 'Secure logging' enabled, those details' names change to 'value_secureLogging', 'nbestUtterance1_secureLogging', 'nbestInterpration1_secureLogging' respectively where all their shown varvalue are read as '*****' Please also note that, this information is based on a lab configuration with CVP 7.02 components. Other CVP versions may or may not have the same behavior. Benek
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Alison A Posts: 9 Join Date: 6/7/10 Recent Posts	RE: New Message from ALI AHAMAD S.F. in Customer Voice Portal (CVP) - Gener Answer 12/17/10 7:58 PM as a reply to Muhammad Amir Raza. Mark as an Answer Submit Reply with Quote Quick Reply Yes, tested and verified. check below call flow. Guys i need some help on how we transfer Customer in to CVP for 60 Sec for input and after 60 seconds call comes back to same Agent, the scenarios is like this ,if customer calls land on CVP self service and customer will breakout to agent depending upon many situation like PIN change/credit card payment...etc when customer breakout to agent and agent will do temp transfer on the CVP for inputting those digits (PIN CHANGE, Credit card number or PAN number) after 60 seconds the calls comes back to same agent subsequently a validation code will be sent to Agent desktop as successful/Failed ,but agent should will not see any PIN/credit card number ..... above scenario i feel the the way how ICM /CVP scripts written and but the transfer to CVP is temp and there is time out like 60 sec calls should come back to same agent,i was also thinking Conferencing the same scenario but in the conferencing scenario can i mute while customer inputting the PIN/CARD NUMBER .............don¿t know i thought of above solution ,please if any one has done this solution please requested to share and your help will be much appreciated ..... Regards 1. PSTN call arrives at the SS7 Switch. The SS7 Switch terminates media to the IOS Media Gateway via E1/T1 and terminates signaling to the ITP via E1/T1. 2. SS7 Switch sends SS7 call to Cisco IP Transfer Point (ITP). 3. ITP converts SS7 call to SS7/IP call. 4. ITP sends SS7/IP call to Cisco PGW 2200 Softswitch. 5. PGW converts SS7/IP call to SIP call. 6. PGW manages and routes the call, sending a SIP invite via the SIP proxy server. 7. The SIP proxy server routes the SIP invite to the Unified CVP Call Server SIP subsystem. 8. The Call Server accepts the SIP invite. 9. The Call Server ICM subsystem sends a route request to the ICM VRU PG. 10. ICM receives the request and runs the appropriate ICM script based on the dialed number label. 11. The ICM script can instruct CVP to manage IVR (play media, get digits, queue to skill group, transfer to agent, etc.). For queue to skill group, when a Unified Communications Manager (UCM) agent becomes available, ICM requests that the CVP Server IVR subsystem transfers the call the selected agent. 12. The Call Server sends a SIP invite via the SIP proxy server. 13. The SIP proxy server routes the SIP invite to the UCM. 14. The UCM accepts the SIP invite and routes the call to the select IP agent phone, connecting the caller to the agent. <font face="Arial" size="1"><font face="Arial" size="1"> </font></font><font face="Arial" size="1"> </font>
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Alison A Posts: 9 Join Date: 6/7/10 Recent Posts	RE: PCI Compliance Answer 12/17/10 7:59 PM as a reply to Janine Graves. Mark as an Answer Submit Reply with Quote Quick Reply Guys i need some help on how we transfer Customer in to CVP for 60 Sec for input and after 60 seconds call comes back to same Agent, the scenarios is like this ,if customer calls land on CVP self service and customer will breakout to agent depending upon many situation like PIN change/credit card payment...etc when customer breakout to agent and agent will do temp transfer on the CVP for inputting those digits (PIN CHANGE, Credit card number or PAN number) after 60 seconds the calls comes back to same agent subsequently a validation code will be sent to Agent desktop as successful/Failed ,but agent should will not see any PIN/credit card number ..... above scenario i feel the the way how ICM /CVP scripts written and but the transfer to CVP is temp and there is time out like 60 sec calls should come back to same agent,i was also thinking Conferencing the same scenario but in the conferencing scenario can i mute while customer inputting the PIN/CARD NUMBER .............don¿t know i thought of above solution ,please if any one has done this solution please requested to share and your help will be much appreciated ..... Regards
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top