Blog

PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

by Randy Bartels / December 22, 2022

Vendor Management in Usage Policies Organizations on the road to PCI compliance must recognize the importance of vendor management. Your usage policies should include a vendor management aspect, outlined by PCI Requirement 12.3.9, “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.” Wherever you have vendors and business partners come into your environment, we’re going to…

PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

by Randy Bartels / December 22, 2022

Automatic Disconnect in Your Usage Policies Remote-access technologies are a constant source of risk for critical resources and cardholder data. This is why PCI Requirement 12.3.8 requires that your usage policies include, “Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.” In PCI Requirement 8.1.8, we gave you this scenario: A user walks away from an open machine that has access to critical system components…

PCI Requirement 12.3.7 – List of Company-Approved Products

by Randy Bartels / December 22, 2022

Acceptable Products Your usage policies, as stated in PCI Requirement 12.3.7, should include a list of company-approved products. This list will correlate with your acceptable uses of technology policy to create strong and secure usage policies. The PCI DSS explains that by defining company-approved products, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened…

PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies

by Randy Bartels / December 22, 2022

Acceptable Network Locations Your usage policies, as stated in PCI Requirement 12.3.6, should detail acceptable network locations for the technology at your organization. The PCI DSS explains that by defining acceptable network locations, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers. To test compliance with PCI Requirement 12.3.6, an assessor will…

PCI Requirement 12.3.5 – Acceptable Uses of the Technology

by Randy Bartels / December 22, 2022

Acceptable Use Policies Your usage policies, as stated in PCI Requirement 12.3.5, should detail acceptable uses of the technology at your organization. Acceptable use policies (AUP) normally have users agree to not use the services for illegal purposes, not attempt to harm the security of the technology or system, and to report any suspicious activity. The PCI DSS explains that by defining acceptable uses of the technology, your organization…

PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

PCI Requirement 12.3.7 – List of Company-Approved Products

PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies

PCI Requirement 12.3.5 – Acceptable Uses of the Technology

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.