I realize there is already a PCI compliance topic, but our situation is a bit different than the compliance issue in the previous posting.
We are potentially looking to test Meraki at a bank location. We need to be able to setup a Meraki tunnel to FiServ servers, but are being told we will not be PCI compliant because Meraki is a cloud managed system. Has anyone used Meraki with FiServ? If so, do you use an on-premise or AWS connection instead of connecting straight to FiServ? Are you using Meraki with FiServ and maintaining PCI Compliance?
Any help would be appreciated.
This topic seems intriguing to me. Is it FiServ that is telling you that you will not be PCI compliant "because Meraki is a cloud managed system?" Truly, I believe they need to give more of an explanation as to why this particular "cloud managed solution" configuration would not be PCI compliant. I could be wrong here, but does Meraki not pride itself in being a very capable and secure "cloud managed system" that has many customers running within PCI Compliance? Sorry I'm not much help here, but this seems like an uneducated denial on their part...
In a Meraki environment no customer data (in particular no credit card information) is sent to the cloud. The cloud is used strictly for management. So the Meraki cloud does not fall under the scope of the PCI requirements.
The PCI standard makes no mention of management. I would ask FiServ to tell you and quote which section and paragraph of the PCI standard that says that cloud management has to be PCI certified. I suspect they wont be able to give you this detail.
Here is a further reference:
"PCI audits can be expensive and time-consuming, especially when the audit scope includes your entire network infrastructure. PCI DSS security requirements apply to all system components, where “system components” are defined as “any network component, server, or application that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access point, network appliances, and other security appliances.
Meraki’s cloud hosted WLAN controller is out of band, meaning that wireless traffic (including cardholder data) does not flow through Meraki’s cloud-hosted controller or any other Meraki infrastructure not behind your firewall. Meraki’s datacenters are SAS 70 type II certified, feature robust physical and cyber security protection, and are regularly audited by third parties. While Meraki’s datacenters are considered out of scope for any WLAN networks PCI audit, Meraki has taken the additional step to obtain PCI certification for our datacenters. Meraki datacenters have passed the Level 1 PCI audit, the most rigorous level for PCI compliance."
We use FiServ for something with payroll and have an MX providing Internet. No complaints from FiServ on this setup. As others have pointed out, Meraki is PCI compliant so I'm not sure what the issue would be. You're not sending user traffic to Meraki at any point.
@MRCUR, how do you connect to FiServ if you don't mind me asking? Do you have a direct connection from your MX device or do you use a FiServ provided router?
@MRCUR, interesting. Would it be possible for us to maybe get into a call with you and my team? If so, please DM a time that works best for you and we can get the ball rolling. This is new territory for us and we keep getting the run around from our FiServ contact.
@Mr_IT_Guy I'm not involved enough with it to speak to it unfortunately. We're very likely using it differently from use so I suspect that's where the different requirements are coming into play.