PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed
Vendor Management in Usage Policies
Organizations on the road to PCI compliance must recognize the importance of vendor management. Your usage policies should include a vendor management aspect, outlined by PCI Requirement 12.3.9, “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.”
Wherever you have vendors and business partners come into your environment, we’re going to look to ensure that your usage policies stipulate that remote-access technologies are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management.
Where you have a vendor or a business partner that might come into your environment to support you for one reason or another, we’re going to look to ensure that you have policies, procedures, and controls to make sure that those user accounts are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management to be opened for your vendors or business partners to come in to support you.