PCI Watch

Tracking changes in the Payment Card Industry
FAQs » FAQ #1035 » Versions » Diff

Diff: FAQ #1035

What is the definition of "remote access"?

Earlier Version
2008-11-06 00:00:00 UTC
Later Version
2014-05-28 00:00:00 UTC
Removed
Added
PCThe term “remote access” refers to access to a computer network from a location outside of that network.

Examples of remote access include access from the I DSS requirement 8.3 is intended to applnternet, an “untrusted” network or sy to users that hastem, a third party serve remote access to the networkice provider, where that remote access could lead to access to the cardholder data enaccess from a third party location (such as a business partner or business customer), or access by personnel from a portable computer ovironment.er the In this context, remote access refers to network-level access originating from outside the company?s own network, either from the Internet or from an ?untrusted? network or system such as an employee accessing the corporate network using his/her mobile computerternet. Internal company LAN-to-LAN access (e.g.for example, two corporate locations connected between two offices viay VPN within the same entity) is not considered remote access for the cardholder data en, as both locations are under the control of the same entity. Access between two different entities (evironment. In this context, remote access refers to network-level access originating from outside the company?s own network, either from the Internet or from an ?untrusted? network or system such as an employee accessing the corporate network using his/her mobile computer. Internal company LAN-to-LAN access (e.g. between two officesen if via VPN or private line) is not considered remote access for purposes of this requirement, such as access involving business customers or third party service providers, is considered remote access. If the corporate network has appropriate segmentation such that remote users cannot access the cardholder data environment, two-factor authentication during remote access to the corporate network is not required by

As defined in PCI DSS Requirement 8. Howe3, two-factor authentication is required for all remote network access that originates from outside the entity’s own network, where that remote access could lead to access to the cardholder data enver, two-factor authentication is required for any remote access to the cardholder data environment, and is recommended for remote access to the corporate networkironment.

PCI SSC recommends engaging a Qualified Security Assessor (QSA) for guidance as to whether network segmentation is adequate or whether a specific implementation will satisfy this requirement. Please see our list of QSAs at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf