Vulnerability Description
| Name | 56209 - PCI DSS Compliance : Remote Acce ... |
| Synopsis | A remote access software has been detect ... |
| Description | Due to increased risk to the cardholder ... |
| See Also | N/A |
| Solution | N/A |
Full Answer
What are the security requirements for PCI DSS?
Below are the various security requirements that must be implemented to protect remote workers and their environments as specified by PCI DSS: For all remote network access from outside the corporate network, use multi-factor authentication. Enforce a strong password policy wherever passwords are used.
Are remote access programs PCI compliant?
It should be noted that remote access programs may be PCI compliant. However, login must be implemented securely using multiple authentication factors, the connection must be encrypted, and associated passwords must meet all requirements set by the PCI Data Security Standard.
What are the PCI DSS requirements for multi-factor authentication?
PCI DSS requirement 8.3.2 requires you to use multi-factor authentication for all remote network access from outside the organization’s network, including user, administrator, and third-party access for support or maintenance. Use unique credentials for each customer, valid only for service providers.
When should I enable or disable remote access for third parties?
Use remote accesses for third parties only when necessary. PCI DSS requirement 12.3.9 requires vendors and partners to enable remote access technologies only when needed by vendors and partners and be disabled immediately after use.
Install personal firewall software on portable computing devices that access the CDE remotely
PCI DSS requirement 1.4 requires you to install personal firewall software or equivalent functionality on any portable computing device that connects to the Internet outside the network, such as laptop computers used by employees and is also used to access the CDE. Firewall or equivalent configurations should include the following requirements:
Monitor third-party remote accesses
PCI DSS requirement 8.1.5 requires you to manage identities used by third parties to access, support, or maintain system components via remote access as follows:
Use multi-factor authentication (MFA) controls
PCI DSS requirement 8.3.2 requires you to use multi-factor authentication for all remote network access from outside the organization’s network, including user, administrator, and third-party access for support or maintenance.
Use unique credentials for each customer, valid only for service providers
According to PCI DSS requirement 8.5.1, service providers with remote access to customer facilities for activities such as supporting POS systems or servers must use unique authentication information for each customer.
Establish usage policies for critical technologies, including remote access
Under PCI DSS requirement 12.3, you must develop usage policies for critical technologies and define the correct use of these technologies, including:
Automatically terminate remote access sessions after a specified time
PCI DSS requirement 12.3.8 requires automatic disconnection of sessions for remote access technologies after a specified period of inactivity.
Use remote accesses for third parties only when necessary
PCI DSS requirement 12.3.9 requires vendors and partners to enable remote access technologies only when needed by vendors and partners and be disabled immediately after use.
PCI DSS Compliance during the COVID-19 Pandemic
The PCI Security Standards Council has recognized the extraordinary circumstances companies around the world face at the present time and have issued guidance for remote work while stressing the need to maintain security practices to protect payment card data at this time.
Securing Processes
The physical space where an employee is working remotely and processing card payments must be effectively monitored and access to it controlled at all times. Locking a home office space is one-way employees can prevent physical access to any systems that process account data.
Limiting Data Exposure
Employees should only use company-approved hardware: whether it’s laptops, phones, or removable devices. In this way, companies can maintain control of systems and the technology supporting payment processing.