Home » Features » PCI Compliance

What is PCI DSS compliance?

The Payment Card Industry Security Standards Council (PCI SSC) formulated Payment Card Industry Data Security Standard (PCI DSS) to set standards to the organisations that store, process and transmit hard holder data. PCI DSS intends on preventing identity data theft by adding an additional level of protection.

Who needs to be PCI compliant?

PCI DSS applies to all the companies that transmits, stores or processes primary account numbers (PAN) or cardholder data both online and offline. The cardholder data includes primary account numbers (PAN), cardholder name, expiry date, service codes, sensitive authentication data (SAD). PCI DSS compliance is a mandate ad is regardless of the size of the merchant or the number of card transactions processed per year.

This basically includes - financial institutions such as banks, insurance companies, brokerage firms, lending agencies, all merchants from hospitals, pharmacies, schools, universities, government agencies, restaurants and e-commerce companies and service providers. PCI council has also defined the rules for software / hardware developers and device manufactures.

Why engage in PCI compliant remote access software?

A remote access software is designed to let authorized technicians access and troubleshoot computers across the globe. This might involve an exchange of business data in and out of the corporate infrastructure over the internet. If your business typically needs to comply with PCI mandates, then you need to ensure that your remote access software is PCI DSS ready.

PCI DSS mandates for remote access software

RequirementRequirement Description
Build and Maintain Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public network
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

Is Remote Access Plus PCI DSS compliant?

Remote Access Plus has a set of security features that will let you achieve the PCI DSS v4.0 mandates that are specific to remote access solutions. The following table outlines the PCI DSS control requirements that are fulfilled by Remote Access Plus.

The requirement description listed is taken from the PCI Security Standards Council website : https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf

RequirementRequirement DescriptionFeature
2.2.2 & 8.3.6. Vendor default accounts are managed as follows:
- If the vendor default account(s) will be used, the default password is changed per Requirement
- If the vendor default account(s) will not be used, the account is removed or disabled
  1. Remote Access Plus lets administrators and technicians define their own passwords.
  2. Additionally, Remote Access Plus follows stringent password policies and two-factor authentication to escape intruders. 
  3. Accounts that are not in use can be removed.

    Refer to: Password Policy
4.2.1
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for the encryption methodology in use.
  1. Remote Access Plus on-premises does not hold any customer data. Every detail is stored in a database within the customers' enterprise.
  2. In case of Remote Access Plus cloud, every information in transit across public networks is completely protected by an 256-bit AES encryption.
7.2.1
An access control model is defined and includes granting access as follows:
- Appropriate access depending on the entity’s business and access needs.
- Access to system components and data resources that are based on users’ job classification and functions.
- The least privileges required (for example, user, administrator) to perform a job function.
  1. Remote Access Plus user administration model lets administrators to define a scope for technicians and limit them from accessing information elevated to their privilege. For example, a technician can be granted access to a specific group of computers or remote offices and be limited from remotely accessing computers under other groups or remote offices.
  2. Remote Access Plus can be set to prompt for end-users' approval every time before initiating remote sessions. Only upon the confirmation from the user, the technician(s) will be able to access the computer.
7.2.3 Required privileges are approved by authorized personnel.
  1. Remote Access Plus administrators can set granular permissions to technicians.
  2. Authorization to tools used to send/receive files, access command prompt can be granted or revoked to technicians and administrators.
8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.
  1. Technicians cannot view, access, or modify settings established by administrators. Technicians are assigned with unique passwords.
  2. In case of Remote Access Plus cloud, technicians can set up their own passwords. The administrators can also instantly revoke access to terminated technician(s).
8.2.3 Additional requirements for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.
  1. To ensure the security of your accounts, it's crucial to have a robust security plan that begins before you log in.
  2. Enhance your login process's security with MFA (multi-factor authentication), 2FA (two-factor authentication), SSO (single sign-on), and SAML (security assertion markup language).
  3. Utilizing 2FA, you can employ apps like Zoho OneAuth, Google Authenticator, Microsoft Authenticator, or Gmail for an added layer of protection during login. 

    Refer to : Secure Remote Access Software
8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.
  1. Remote Access Plus provides administrators with the ability to disable or lock inactive accounts.
  2. Administrators can automate the account disabling process by specifying the number of days a machine can remain inactive before being disabled.
8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.
  1. In Remote Access Plus, when a user remains inactive for a specific duration, they are required to re-authenticate using their credentials.
  2. The product console allows the idle time to be adjusted within a range of 10 minutes to 8 hours.
8.3.3 User identity is verified before modifying any authentication factor.
  1. Prior to modifying any information, the user must authenticate using their credentials.
  2. For example, if a user wants to change their password, they will be required to enter their current password as a security measure before setting a new password.
8.3.4 Invalid authentication attempts are limited by:
- Locking out the user ID after not more than 10 attempts.
- Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.
  1. Remote Access Plus allows you to customize the password policy, granting you control over various aspects.
  2. One of the features of the password policy customization is the ability to enable user account lockout for invalid login attempts.
  3. You have the flexibility to specify the number of invalid login attempts allowed before an account is locked.
  4. Additionally, you can define the duration for which the account remains locked after reaching the maximum invalid login attempts.
8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.
  1. Remote Access Plus enables the retention of multiple passcodes in its history.
  2. IT administrators can determine the desired number of previous passwords to be saved.
  3. This functionality prevents users from reusing their old passwords.
8.3.9
If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
- Passwords/passphrases are changed at least once every 90 days,
OR
- The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
  1. Remote Access Plus offers a security-enhancing feature that enforces password changes after a specified period.
  2. Users can customize the duration for password changes within a range of 30 to 120 days.
9.2.1 Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.
  1. Remote Access Plus on-premises does not hold any personal-critical data of the customer.
  2. The data is stored within the customer's database. 
  3. In case of Remote Access Plus cloud, the data transfer is completely secure under a highly reliable environment.
10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
  1. Remote access solutions must strongly emphasize accountability.
  2. Remote Access Plus lets you perceive information on all the remote sessions initiated by recording them.
  3. Audit-ready reports on remote sessions with the start time, end time, and duration, reports on chat sessions, registry value exports, and more.
10.2.2 Maintain audit controls.

 

All the remote sessions initiated from Remote Access Plus are continuously logged for audit and troubleshooting purposes.
12.7.1 Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.



 

  1. Remote Access Plus lets you define granular permission levels to technicians.
  2. You can make technicians access the diagnostic tools but restrict them from remotely controlling client computers.
  3. Permissions can be set to get explicit approval from the end-user every time before initiating remote control and certain diagnostic tools such as file manager and command prompt to ensure end-user privacy.
  4. Time-out settings can be configured to determine the time of inactivity during remote sessions and automatically end the session and lock down the target computer.

 

Have you any queries on Remote Access Plus, feel free to shoot us a line at
remoteaccessplus-support@manageengine.com

 

Also read articles on,

  1. How HIPAA compliant is Remote Access Plus?
  2. How GDPR compliant is Remote Access Plus?