Educause Security Discussion mailing list archives

Re: PCI v2.0 Requirement 8.3

From: "Marcum, Chad A" <cmarcum () IU EDU>
Date: Wed, 19 Jan 2011 13:24:31 +0000

Blake,

Would you agree that this brings the two-factor solution into PCI-scope?  Also, would you agree that any machines 
remoting (aka: remote desktop or ssh) to the PCI-network are also in-scope?

Thanks,
Chad

Chad Marcum, Lead Security Engineer
University Information Security Office
Office of the Vice President for IT and CIO
Indiana University

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake 
Penn
Sent: Tuesday, January 18, 2011 3:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI v2.0 Requirement 8.3

Dan,

I see most clients (both inside and outside of Higher Ed) using either RSA SecurID tokens or personal certificates for 
2-factor.  Also, the use of remote access management tools like Bomgar is certainly on the uptick.  

Blake Penn
CISSP, MCSE, MCSD, MCDBA, QSA
Senior Security Consultant
Trustwave
bpenn () trustwave com
+1 678-685-1277
http://www.trustwave.com

DISCLAIMER: The views represented in this message reflect the opinions of the author alone and do not neccessarily 
reflect the opinions of Trustwave.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel 
Bennett
Sent: Monday, January 17, 2011 3:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI v2.0 Requirement 8.3

We are currently working on PCI v2.0 compliance and we hit requirement 8.3.  We are very interested in how other 
institutions have solved this requirement.  Please respond on or off list.  Below is the requirement:

8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) 
to the network by employees, administrators, and third parties. (For example, remote authentication and dialin service 
(RADIUS) with tokens; terminal access controller access control system
(TACACS) with tokens; or other
technologies that facilitate two-factor
authentication.)

Thanks,

Dan

Current thread:

PCI v2.0 Requirement 8.3 Daniel Bennett (Jan 17)
- Re: PCI v2.0 Requirement 8.3 Flynn, Gary - flynngn (Jan 17)
- Re: PCI v2.0 Requirement 8.3 Blake Penn (Jan 18)
  - Re: PCI v2.0 Requirement 8.3 Taylor, James R (Jan 18)
  - Re: PCI v2.0 Requirement 8.3 Taylor, James R (Jan 18)
  - Re: PCI v2.0 Requirement 8.3 Marcum, Chad A (Jan 19)
    - Re: PCI v2.0 Requirement 8.3 Blake Penn (Jan 20)
- Re: PCI v2.0 Requirement 8.3 Mike Leach (Jan 18)
- Re: PCI v2.0 Requirement 8.3 Joe Marshall (Jan 18)