Is two-factor authentication required between two different segments of an internal network?
PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company?s own network, either from the Internet or from an ?untrusted” network or system such as an employee accessing the corporate network using his/her mobile computer. Internal company LAN-to-LAN access (e.g. between two offices via VPN) is not considered remote access for purposes of this requirement. If the corporate network has appropriate segmentation such that remote users cannot access the cardholder data environment, two-factor authentication during remote access to the corporate network is not required by PCI DSS. However, two-factor authentication is required for any remote access to the cardholder data environment, and is recommended for remote access to the corporate network. PCI SSC recommends engaging a Qualified Security Assessor (QSA) for guidance as to whether network segmentation is adequate or whether a specific implementation will satisfy this requirement. Please see our list of QSAs at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf