PCI DSS requirement 8.3 is intendedThe term “remote access” refers to applyaccess to usersa computer network from a location outside of that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company?s own network, either from the Internet or from an ?untrusted? network or system such as an employee accessing the corporate network using his/her mobile computer. Internal company LAN-to-LAN access (e.g. between two offices via VPN) is not considered remote access for the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company?s own network, either from the Internet or from an ?untrusted? network or system such as an employee accessing the corporate network using his/her mobile computer. Internal company LAN-to-LAN access (e.g. between two offices via VPN) is not considered remote access for purposes of this requirement. If the corporate network has appropriate segmentation such that remote users cannot access the cardholder data environment, two-factor authentication during remote access to the corporate network is not required by PCI DSS. However, two-factor authentication is required for any remote access to the cardholder data environment, and is recommended for remote access to the corporate network.
Examples of remote access include access from the Internet, an “untrusted” network or system, a third party service provider, access from a third party location (such as a business partner or business customer), or access by personnel from a portable computer over the Internet. Internal company LAN-to-LAN access (for example, two corporate locations connected by VPN within the same entity) is not considered remote access, as both locations are under the control of the same entity. Access between two different entities (even if via VPN or private line), such as access involving business customers or third party service providers, is considered remote access.
As defined in PCI SSC recommends engaging a Qualified Security Assessor (QSA)DSS Requirement 8.3, two-factor authentication is required for guidance asall remote network access that originates from outside the entity’s own network, where that remote access could lead to whether network segmentation is adequate or whether a specific implementation will satisfy this requirement. Please see our list of QSAs at www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdfaccess to the cardholder data environment.
