The Payment Card Industry Security Standards Council (PCI SSC) formulated Payment Card Industry Data Security Standard (PCI DSS) to set standards to the organisations that store, process and transmit hard holder data. PCI DSS intends on preventing identity data theft by adding an additional level of protection.
PCI DSS applies to all the companies that transmits, stores or processes primary account numbers (PAN) or cardholder data both online and offline. The cardholder data includes primary account numbers (PAN), cardholder name, expiry date, service codes, sensitive authentication data (SAD). PCI DSS compliance is a mandate ad is regardless of the size of the merchant or the number of card transactions processed per year.
This basically includes - financial institutions such as banks, insurance companies, brokerage firms, lending agencies, all merchants from hospitals, pharmacies, schools, universities, government agencies, restaurants and e-commerce companies and service providers. PCI council has also defined the rules for software / hardware developers and device manufactures.
A remote access software is designed to let authorized technicians access and troubleshoot computers across the globe. This might involve an exchange of business data in and out of the corporate infrastructure over the internet. If your business typically needs to comply with PCI mandates, then you need to ensure that your remote access software is PCI DSS ready.
|Build and Maintain Secure Network and Systems
|Protect Cardholder Data
|Maintain a Vulnerability Management Program
|Implement Strong Access Control Measures
|Regularly Monitor and Test Networks
|Maintain an Information Security Policy
Remote Access Plus has a set of security features that will let you achieve the PCI DSS v4.0 mandates that are specific to remote access solutions. The following table outlines the PCI DSS control requirements that are fulfilled by Remote Access Plus.
The requirement description listed is taken from the PCI Security Standards Council website : https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
|2.2.2 & 8.3.6.
|Vendor default accounts are managed as follows:
- If the vendor default account(s) will be used, the default password is changed per Requirement
- If the vendor default account(s) will not be used, the account is removed or disabled
Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for the encryption methodology in use.
An access control model is defined and includes granting access as follows:
- Appropriate access depending on the entity’s business and access needs.
- Access to system components and data resources that are based on users’ job classification and functions.
- The least privileges required (for example, user, administrator) to perform a job function.
|Required privileges are approved by authorized personnel.
|All users are assigned a unique ID before access to system components or cardholder data is allowed.
|Additional requirements for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.
|Inactive user accounts are removed or disabled within 90 days of inactivity.
|If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.
|User identity is verified before modifying any authentication factor.
|Invalid authentication attempts are limited by:
- Locking out the user ID after not more than 10 attempts.
- Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.
|Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.
If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
- Passwords/passphrases are changed at least once every 90 days,
- The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
|Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.
|Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
|Maintain audit controls.
All the remote sessions initiated from Remote Access Plus are continuously logged for audit and troubleshooting purposes.
|Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.
Have you any queries on Remote Access Plus, feel free to shoot us a line at