Home » Features » PCI Compliance

What is PCI DSS compliance?

The Payment Card Industry Security Standards Council (PCI SSC) formulated Payment Card Industry Data Security Standard (PCI DSS) to set standards to the organisations that store, process and transmit hard holder data. PCI DSS intends on preventing identity data theft by adding an additional level of protection.

Who needs to be PCI compliant?

PCI DSS applies to all the companies that transmits, stores or processes primary account numbers (PAN) or cardholder data both online and offline. The cardholder data includes primary account numbers (PAN), cardholder name, expiry date, service codes, sensitive authentication data (SAD). PCI DSS compliance is a mandate ad is regardless of the size of the merchant or the number of card transactions processed per year.

This basically includes - financial institutions such as banks, insurance companies, brokerage firms, lending agencies, all merchants from hospitals, pharmacies, schools, universities, government agencies, restaurants and e-commerce companies and service providers. PCI council has also defined the rules for software / hardware developers and device manufactures.

Why engage in PCI compliant remote access software?

A remote access software is designed to let authorized technicians access and troubleshoot computers across the globe. This might involve an exchange of business data in and out of the corporate infrastructure over the internet. If your business typically needs to comply with PCI mandates, then you need to ensure that your remote access software is PCI DSS ready.

PCI DSS mandates for remote access software

Requirement Requirement Description
Build and Maintain Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public network
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

Is Remote Access Plus PCI DSS compliant?

Remote Access Plus has a set of security features that will let you achieve the PCI DSS v3.0 mandates that are specific to remote access solutions. The following table outlines the PCI DSS control requirements that are fulfilled by Remote Access Plus.

The requirement description listed is taken from the PCI Security Standards Council website : https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

Requirement How Remote Access Plus fulfills the requirement?
Build and maintain a secure network

Install and maintain a firewall to protect user data

Remote Access Plus servers are hosted at a highly reliable and secure carrier-grade data centers. Remote Access Plus is also available on-premises which will ensure complete control your business-critical information.

Change / disable vendor-supplied default passwords before installing a system on the network.

Remote Access Plus lets administrators and technicians define their own passwords. Additionally, Remote Access Plus follows stringent password policies and two-factor authentication to escape intruders.
Protect card-holder data

Encrypt card-holder data transmission

Remote Access Plus on-premises, does not hold any customer data. Every detail is stored in a database within the customers' enterprise. In case of Remote Access Plus cloud, every information in transit across public networks is completely protected by an end-to-end 256-bit AES encryption.

Protect stored data

Administrators can tailor roles and define scope for technicians preventing them from accessing information elevated to their privileges. Furthermore, administrators can restrict technicians from accessing File Manager and Command Prompt. This will forbid them from exporting files from remote computers.
Maintain a vulnerability management program

Maintain a vulnerability management program

Remote Access Plus servers are maintained in hardened operating systems with proper patching practices.
Implement strong access control measures

Restrict access to data
  1. Remote Access Plus user administration model lets administrators to define a scope for technicians and limit them from accessing information elevated to their privilege. For example, a technician can be granted access to a specific group of computers or remote offices and be limited from remotely accessing computers under other groups or remote offices.
  2. Remote Access Plus can be set to prompt for end-users' approval every time before initiating remote sessions. Only upon the confirmation from the user, the technician(s) will be able to access the computer.
  3. Remote Access Plus administrators can set granular permissions to the technicians. Authorization to tools used to send / receive files, access command prompt can be granted or revoked to technicians and administrators.

Assigning unique ID to technicians

Technicians cannot view, access, or modify settings established by administrators. Technicians are assigned with unique passwords. In case of Remote Access Plus cloud, technicians can set-up their own passwords. The administrators can also instantly revoke access to terminated technician(s).
Restrict access to cardholder data

Remote Access Plus on-premises, does not hold any personal- critical data of the customer. The data is stored within the customer's database. In case of Remote Access Plus cloud, the data transfer is completely secure under a highly reliable environment.
Regularly monitor and test networks.

Monitor all access to network resources and cardholder data.

Remote access solutions must strongly emphasis on accountability. Remote Access Plus lets you perceive information on the all the remote sessions initiated by recording them. Audit-ready reports on remote sessions with the start time, end time, and duration, reports on chat sessions, registry value exports and more.

Regularly test security systems and processes.

Remote Access Plus sticks to stringent security policies and continuously reviews its software, policies and data centres for security.
Maintain an information security policy

Maintain access controls
  1. Remote Access Plus lets you define granular permission levels to technicians. You can make technicians access the diagnostic tools but restrict them from remotely controlling client computers.
  2. Permissions can be set to get an explicit approval from the end user every time before initiating remote control and certain diagnostic tools such as file manager and command prompt to ensure end-user privacy.
  3. Time-out settings can be configured to determine the time of inactivity during remote sessions and automatically end the session and lock down the target computer.

Maintain audit controls
  1. All the remote sessions initiated from Remote Access Plus are continuously logged for audit and troubleshooting purposes.
  2. Export settings to prevent personal data such as an e-mail or contact number from being revealed while exporting reports.

 

Have you any queries on Remote Access Plus, feel free to shoot us a line at
remoteaccessplus-support@manageengine.com

 

Also read articles on,

  1. How HIPAA compliant is Remote Access Plus?
  2. How GDPR compliant is Remote Access Plus?