11.3 If vendors, resellers/integrators, or customers can access customer’s payment applications remotely, the remote access must be implemented securely.
PCI Data Security Standard Requirement 8.3
Testing Procedures:
11.3.a If the software vendor uses remote access products for remote access to the customer’s payment application, verify that vendor personnel implement and use remote access security features.
Note: Examples of remote access security features include:
[ul]
[li]Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer).[/li][li]Allow connections only from specific (known) IP/MAC addresses.[/li][li]Use strong authentication and complex passwords for logins according to PCI DSS Requirements 8.1, 8.3, and 8.5.8-8.5.15[/li][li]Enable encrypted data transmission according to PCI DSS Requirement 4.1[/li][li]Enable account lockout after a certain number of failed login attempts according to PCI DSS Requirement 8.5.13[/li][li]Configure the system so a remote user must establish a Virtual Private Network (VPN) connection via a firewall before access is allowed.[/li][li]Enable the logging function.[/li][li]Restrict access to customer passwords to authorized reseller/integrator personnel.[/li][li]Establish customer passwords according to PCI DSS Requirements 8.1, 8.2, 8.4, and 8.5.[/li][/ul]
11.3.b If resellers/integrators or customers can use remote access software, examine PA-DSS Implementation Guide prepared by the software vendor, and verify that customers and resellers/integrators are instructed to use and implement remote access security features.
Note: Examples of remote access security features include:
[ul]
[li]Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer).[/li][li]Allow connections only from specific (known) IP/MAC addresses.[/li][li]Use strong authentication and complex passwords for logins according to PCI DSS Requirements 8.1, 8.3, and 8.5.8-8.5.15.[/li][li]Enable encrypted data transmission according to PCI DSS Requirement 4.1.[/li][li]Enable account lockout after a certain number of failed login attempts according to PCI DSS Requirement 8.5.13.[/li][li]Configure the system so a remote user must establish a Virtual Private Network (VPN) connection via a firewall before access is allowed.[/li][li] Enable the logging function.[/li][li]Restrict access to customer passwords to authorized reseller/integrator personnel.[/li][li]Establish customer passwords according to PCI DSS Requirements 8.1, 8.2, 8.4, and 8.5.[/li][/ul]