Round and round it goes…
We’ve struggled a bit with figuring out how to implement two-factor authentication according to PCI-DSS 8.3. Prior to going down the secure token path we figured we do some last minute research into the requirement and found some interesting forum discussions on the Society of Payment Security Professionals website.
In essence, one interpretation is that this requirement is aimed at access to card holder data in “bulk”. In other words, if the person obtaining remote access does not have access to the store of card holder data, two-factor authentication is not required.
How are you interpreting this requirement?
Thanks!
Dan
---------------------------------------------------------------------------
Daniel L. Spees Director, Information Services & Support Chicago Symphony Orchestra
Hi Dan,
My interpretation of the requirement is that 8.3 applies to remote access connections - from the requirement document: "network-level access originating from outside the network".
So, for our setup, where we host the Tessitura environment internally, it does not apply for day to day operations. We have implemented a SSL VPN for remote access and combined with the additional access restrictions in place feel that this meets the specifications and intent of the requirement.
I suppose things could be more tricky if you were running your environment from a co-lo - however, depending on the connection between the sites, you may be able to justify the view that the network is still 'internal'.
Good luck - PCI is fun isn't it?