Damien is right. I've done similar implementation, but the Switching is in AS/400 instead of BAS24, however the solution would be the same. These are the steps I did:
1. Tap the network, using TAP or SPAN of your choice, since Switching won't allow us to install any agent in their server.
2. Do the PCAP, parsing, and masking IN MEMORY. Since it is audited as CDE in PCI-DSS compliance.
3. Send the parsed and masked data to Splunk Forwarder. done!
Step number 2 is important, since some fields in BASE24 contains Sensitive Authentication Data such as Encrypted PIN and Full Track 2 Data, it will break the compliant if we store the PCAP in indexer.
However, with proper treatment, I can even exclude the Indexer and Search Head from CDE in PCI-DSS compliance. Only the Forwarder and TAP are audited as CDE.
... View more