PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

by Randy Bartels / July 3rd, 2018

Vendor Management in Usage Policies

Organizations on the road to PCI compliance must recognize the importance of vendor management. Your usage policies should include a vendor management aspect, outlined by PCI Requirement 12.3.9, “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.”

Wherever you have vendors and business partners come into your environment, we’re going to look to ensure that your usage policies stipulate that remote-access technologies are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management.

Where you have a vendor or a business partner that might come into your environment to support you for one reason or another, we’re going to look to ensure that you have policies, procedures, and controls to make sure that those user accounts are only enabled when absolutely required to support your business. All other times, those accounts should be disabled, and nobody should be able to access them unless they’re approved by management to be opened for your vendors or business partners to come in to support you.

BLOG

PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

Vendor Management in Usage Policies

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.

BLOG

PCI Requirement 12.3.9 – Activation of Remote-Access Technologies for Vendors and Business Partners Only When Needed

Vendor Management in Usage Policies

Related Posts

Categories

Newsletter