Dealing with Cisco’s end-of-sale cycle is a stressful experience. This is an issue for companies maintaining PCI compliance. With a lot of companies, when their product reaches its end of sale cycle then they stop assisting the customer with ways for their device to stay PCI compliant. With Cisco though, they make sure that when their customers can still receive assistance from Cisco with trying to remain PCI compliant after that end-of-sale period. Cisco devices that are no longer patchable leave a system exposed to the following:
- Sensitive cardholder data can be stolen
- The perimeter, internal, and wireless networks could be breached
- Payment card applications could be breached
Several customers have experienced these issues because the Cisco devices they are using have reached their end-of-sale cycle, and the devices are subject to not be able to comply with being able to stay PCI compliant. Cisco recognized this was becoming an issue for their customers and developed a program to deal with end of sale devices and PCI compliance. Cisco created an end-of-life policy contract that allowed customers to keep their end-of-sale devices and stay PCI compliant. The services offered include:
- For the first year, Cisco will provide bug fixes, maintenance releases, workarounds or patches for critical bugs reported on the Cisco website.
- After the first year and for Operating System software, Cisco will provide bug fixes, maintenance releases, workarounds or patches for a period of 4 years for operating system software.
- After the first year and for application software, Cisco will provide bug fixes, maintenance releases, workarounds, or patches for a period of 2 years
Cisco customers can keep up-to-date by visiting Cisco’s website. Here, customers can keep track of devices that have reached their end-of-life. Cisco usually lets the customer know six months in advance.
For example, CS-MARS end of life date was in 2008, and customers did not know about Cisco’s end-of-life policy contract. Some customers went four years thinking they were out of compliance with PCI. The best practice right now is to upgrade to CS-Mars 6.1.6. You will have to do this by June 19, 2013 because after that there will be no contract extensions for models 100, 1003, 200, GCm, and GC. This is because they will have reached the end of their 5 year service contract policy implemented by Cisco.
Note, this contract is called an end-of-life policy contract not because the device has completely reached its end of life period, but it has reached its end of sale mark and is now in the 5 year period of the end –of-life cycle. This is good that Cisco does this because this gives customers a 5 year period to update their devices before they completely fall of the mark of being able to be PCI compliant.
If you know your Cisco device has reached its end of sale date then go ahead and upgrade if the device is close to its end of life date. If your device has recently reached its end of sale date and is in the 5 year end of life cycle process then take advantage of Cisco’s end-of-life cycle policy contract. Make sure though to not wait until the last minute to upgrade though. Cisco wants their customers to stay PCI compliant, so with them offering this end of life cycle policy contract, Cisco expects customers to before the end of that 5 year cycle. With all that said, keep updated and stay PCI compliant.