Diff: FAQ #1078
Is two-factor authentication required between two different segments of an internal network?
Earlier Version
Later Version
Removed
Added
As defined in PCI DSS requirement 8.3 is intended to apply toRequirement 8.3, two-factor authentication is required for all remote network access that originates from outside the entity’s own network, where that remote access could lead to access to the cardholder data environment. This typically applies where the access originates either from the Internet or from an ?untrusted” network or system; for example, access from a third party location or access by personnel from a portable computer over the Internet. Internal company communications between different network segments within the same entity is not generally considered remote access, as both locations are under the control of the same entity and would be considered ?trusted?. Two-factor authentication is therefore not required for communications between trusted segments of an internal network. However, if an internal network segment is used to facilitate access between an untrusted network and the CDE, two-factor authentication is required for connections from the untrusted network to the internal network.
If remote access is to an entity?s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, two-factor authentication for remote access to thathave remote access to the network, where that remote access could lead tonetwork would not be required. However, two-factor authentication is required for any remote access to networks with access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company?s own network, either from the Internet or from an ?untrusted” network or system such as an employee accessing the corporate network using his/her mobile computer. Internal company LAN-to-LAN access (e.g. between two offices via VPN) is not considered remote access for purposes of this requirement. If the corporate network has appropriate segmentation such that remote users cannot access the cardholder data environment, two-factor authentication during remote access to the corporate network is not required by PCI DSS. However, two-factor authentication is required for any remote access to the cardholder data environment, and is recommended for remote access to the corporate network. PCI SSC recommends engaging a Qualified Security Assessor (QSA) for guidance as to whether network segmentation is adequate or whether a specific implementation will satisfy this requirement. Please see our list of QSAs at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdfall remote access to the entity?s networks.
If remote access is to an entity?s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, two-factor authentication for remote access to that
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.