11.2 If the payment application may be accessed remotely, remote access to the payment application must be authenticated using a two-factor authentication mechanism.
PCI Data Security Standard Requirement 8.3
Testing Procedures:
11.2 If the payment application may be accessed remotely, examine PA-DSS Implementation Guide prepared by the software vendor, and verify it contains instructions for customers and resellers/integrators regarding required use of two-factor authentication (username and password and an additional authentication item such as a token or certificate).