Educause Security Discussion mailing list archives
Re: PCI v2.0 Requirement 8.3
From: Blake Penn <BPenn () TRUSTWAVE COM>
Date: Thu, 20 Jan 2011 08:28:57 -0600
I can't make that judgment - you know the drill, only your QSA can determine the proper scope for your particular environment. I can speak from my experience, though, that workstations/other endpoints that have access to cardholder data or shell-level access to the cardholder data environment are commonly treated as extensions of that environment and that any control used to satisfy one or more requirements requires testing (via sampling, at least) during the validation process. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marcum, Chad A Sent: Wednesday, January 19, 2011 8:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI v2.0 Requirement 8.3 Blake, Would you agree that this brings the two-factor solution into PCI-scope? Also, would you agree that any machines remoting (aka: remote desktop or ssh) to the PCI-network are also in-scope? Thanks, Chad Chad Marcum, Lead Security Engineer University Information Security Office Office of the Vice President for IT and CIO Indiana University -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake Penn Sent: Tuesday, January 18, 2011 3:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI v2.0 Requirement 8.3 Dan, I see most clients (both inside and outside of Higher Ed) using either RSA SecurID tokens or personal certificates for 2-factor. Also, the use of remote access management tools like Bomgar is certainly on the uptick. Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA Senior Security Consultant Trustwave bpenn () trustwave com +1 678-685-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Bennett Sent: Monday, January 17, 2011 3:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI v2.0 Requirement 8.3 We are currently working on PCI v2.0 compliance and we hit requirement 8.3. We are very interested in how other institutions have solved this requirement. Please respond on or off list. Below is the requirement: 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dialin service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.) Thanks, Dan
Current thread:
- PCI v2.0 Requirement 8.3 Daniel Bennett (Jan 17)
- Re: PCI v2.0 Requirement 8.3 Flynn, Gary - flynngn (Jan 17)
- Re: PCI v2.0 Requirement 8.3 Blake Penn (Jan 18)
- Re: PCI v2.0 Requirement 8.3 Taylor, James R (Jan 18)
- Re: PCI v2.0 Requirement 8.3 Taylor, James R (Jan 18)
- Re: PCI v2.0 Requirement 8.3 Marcum, Chad A (Jan 19)
- Re: PCI v2.0 Requirement 8.3 Blake Penn (Jan 20)
- Re: PCI v2.0 Requirement 8.3 Mike Leach (Jan 18)
- Re: PCI v2.0 Requirement 8.3 Joe Marshall (Jan 18)