[PCI DSS 3.0] [PCI DSS 3.0] 8.5.1 Additional requirement for service providers: Service providers with remote access to customer

pcinetwork

PCINetwork.org Admin
#1
8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting
environment, where multiple customer environments are hosted.

Note: Requirement 8.5.1 is a best practice until June 30, 2015, after which it becomes a requirement.

8.5.1 Additional testing procedure for service providers: Examine authentication policies and procedures and interview personnel to verify that different authentication are used for access to each customer.

To prevent the compromise of multiple customers through the use of a single set of credentials, vendors with remote access accounts to customer environments should use a different authentication credential for each customer.
Technologies, such as two-factor mechanisms, that provide a unique credential for each connection (for example, via a single-use password) could also meet the intent of this requirement.
 
Top