Re: PCI v2.0 Requirement 8.3

[Mike Leach <mjl9 () PSU EDU>]

Dan,

 

Our first response is, "Please explain why you need remote access to a card
processing environment." In other words we try to discourage that when
possible. Even so some merchant areas need remote access to carry out
business needs. Most of the time our merchants use the User ID and a
certificate on the machine to provide the two-factors. This also forces use
of a known, supported machine to access the card processing environment.

 

 

 

Thank you,

Mike Leach

Compliance Coordinator

Security Operations and Services

The Pennsylvania State University

ITS-SOS Telephone: 814-863-9533

ITS-SOS E-Mail: security () psu edu

Direct Line: 814-865-0740

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Bennett
Sent: Monday, January 17, 2011 3:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI v2.0 Requirement 8.3

 

We are currently working on PCI v2.0 compliance and we hit requirement 8.3.
We are very interested in how other institutions have solved this
requirement.  Please respond on or off list.  Below is the requirement:

 

8.3 Incorporate two-factor authentication

for remote access (network-level access

originating from outside the network) to

the network by employees,

administrators, and third parties. (For

example, remote authentication and dialin

service (RADIUS) with tokens; terminal

access controller access control system

(TACACS) with tokens; or other

technologies that facilitate two-factor

authentication.)

 

Thanks,

 

Dan