AsFor describedmore ininformation PCI DSS Requirement 8.3,about multi-factor authenticationauthentication, (previously referred to as two-factor authentication) is required for all remote network access that originates from outside the entity's own network, where that remote access could lead to accessrefer to the cardholderInformation dataSupplement: environmentAuthentication (RequirementGuidance, 8.3.2). Thisavailable typicallyunder appliesGuidance whereDocument the access originates either from the Internet or from an "untrusted" network or system; for example, access from a third party location or access by personnel from a portable computer over the Internet. As of PCI DSS v3.2, multi-factor authentication (MFA) is also required for non-console connections to the CDE for personnel with administrative access (Requirement 8.3.1). This includes connections that originate from within the company's internal, "trusted" network. Refer toin the PCI DSSSSC andDocument PA-DSSLibrary.
Our Glossarydocument oflibrary Terms,can Abbreviations,be and Acronyms for further guidanceaccessed on "administrativeour access"website andat: 'non-console access'.The requirement to use multi-factor authentication for non-console administrative access to the CDE is limited to individuals with administrative privileges. It does not apply to non-administrative users nor does it apply to machine accounts, such as system or application accounts performing automated tasks.https://www.pcisecuritystandards.org/document_library/
