PCI Requirement 12.3.10 – For Personnel Accessing Cardholder Data via Remote-Access Technologies, Prohibit the Copying, Moving, and Storage of Cardholder Data onto Local Hard Drives and Removable Electronic Media

by Randy Bartels / July 3rd, 2018

Employees with Remote-Access

If you have employees who can access your cardholder data environment from remote-access technologies, you must comply with PCI Requirement 12.3.10. It states, “For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.”

Consider all employees who work from home; chances are, home networks and environments are not going to be as secure as your cardholder data environment, so cardholder data should never be moved, unless there is a specific business need for it. You must have some policy for prohibiting the copying, moving, and storage of cardholder data into local environments.

The PCI DSS further explains, “To ensure all personnel are aware of their responsibilities to not store or copy cardholder data onto their local personal computers or other media, your policy should clearly prohibit such activities except for personnel that have been explicitly authorized to do so.” Including PCI Requirement 12.3.10 in your usage policies will protect your environment from employees taking cardholder data into unsecure environments.

If you have employees that come in from remote that could access your cardholder data environment, PCI Requirement 12.3.10 requires that you have a process and program in place that would prohibit them from moving, copying, and/or storing cardholder data into their local environment when connected from remote. Think about this: Johnny connects from home and transfers a database down to his environment to work on it. Chances are that his home environment is not as secured as your cardholder data environment. The PCI DSS is looking to establish this as a requirement. There is some leniency here, though. While it is generally prohibited, if you have a business need to support your environment, or your organization needs to do that to support your environment, it’s okay. However, management needs to be aware of that and then apply the appropriate controls.