Developing Usage Policies
In order to prohibit inappropriate use of devices or technology, PCI Requirement 12.3 requires, “Develop usage policies for critical technologies and define proper use of these technologies.” Critical technologies may be things like laptops, tablets, removable electronic media, or the Internet. If usage policies are not implemented, your personnel could use the critical technologies in a way that violates company policy, allowing malicious individuals to gain access to critical systems and cardholder data.
According to the PCI DSS, to comply with PCI Requirement 12.3, usage policies should include the following:
- Explicit approval by authorized parties
- Authentication for use of the technology
- A list of all such devices and personnel with access
- A method to accurately and readily determine owner, contact information, and purpose
- Acceptable uses of the technology
- Acceptable network locations for the technologies
- List of company-approved products
- Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
- Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
- For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need
- Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements
PCI Requirement 12.3 defines the need for your organization to develop usage policies around critical technologies. There are numerous controls here that get called out, so spend some time looking at the next set of videos to learn what those might be.