PCI Requirement 12.3.8 – Automatic Disconnect of Sessions for Remote-Access Technologies After a Specific Period of Inactivity

by Randy Bartels / July 3rd, 2018

Automatic Disconnect in Your Usage Policies

Remote-access technologies are a constant source of risk for critical resources and cardholder data. This is why PCI Requirement 12.3.8 requires that your usage policies include, “Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.”

In PCI Requirement 8.1.8, we gave you this scenario: A user walks away from an open machine that has access to critical system components and/or cardholder data. That machine is then used by a malicious individual in the user’s absence, resulting in unauthorized account access and/or misuse. How can PCI Requirement 12.3.8 help prevent a scenario like this? By including an automatic disconnect rule for remote-access technologies in your usage policies, you can minimize the risk of malicious access.

To verify compliance with PCI Requirement 12.3.8, an assessor will need to examine your usage policies to ensure that they require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity, or they will examine configurations for remote-access technologies.

PCI Requirement 12.3.8 stipulates that you have an automatic disconnect of the sessions after a defined period of time. Back in PCI Requirement 8, we talked about having a 15-minute session timeout, but in PCI Requirement 12.3.8, you’re establishing the policy around that particular requirement.