Re: PCI v2.0 Requirement 8.3

[Joe Marshall <JMarshall () FREDERICK EDU>]

What is everyone's take on the meaning of this requirement?  We provide remote access to the "network" via terminal 
services.  This is the administrative network.  All servers and machines that process credit cards are on a unique 
VLAN.  There's no direct access to the card processing network from the administrative network or the terminal server.

Do we still need two-factor authentication for the terminal server connection since it is not part of the credit card 
VLAN?  Reading the requirement, it is very generic:  "remote access" for "network-level access."  What does that really 
mean?  The network (VLAN) for the credit card network or any network?

Regards,
Joe


Joe Marshall
Executive Director of Network, Information Security, and Telecommunications
Frederick Community College
7932 Opossumtown Pike
Frederick, Maryland 21702
301.624.2824 phone
301.624.2898 fax 

> > > Daniel Bennett <dbennett () PCT EDU> 1/17/2011 3:30 PM >>>
We are currently working on PCI v2.0 compliance and we hit requirement 8.3.  We are very interested in how other 
institutions have solved this requirement.  Please respond on or off list.  Below is the requirement:

8.3 Incorporate two-factor authentication
for remote access (network-level access
originating from outside the network) to
the network by employees,
administrators, and third parties. (For
example, remote authentication and dialin
service (RADIUS) with tokens; terminal
access controller access control system
(TACACS) with tokens; or other
technologies that facilitate two-factor
authentication.)

Thanks,

Dan