When users can log into a network remotely, additional security is required for PCI-DSS compliancy – but it is an important security concern for any business network. If you have opened your firewall (see PCI-DSS: Securing Your Network ) to the outside world, you need to be sure that your remote connection is secure and that the remote users are only those authorized to have access to your system.
Main PCI-DSS Requirements for Remote Access
Two-Factor Login – One of the main requirements for any remote access is that a two-factor authentication method should be used. Of course, a two-factor login could be added to a local network and provide even better security. A two-factor login is a User Authentication method where two of the following three pieces of information can be confirmed when a user logs into a network:
- Something the user knows (a username and password)
- Something the user has (an ID card, security token, software token, phone, or cell phone)
- Something the user is or does (a fingerprint or other biometric device)
Of course, the benefit here is a method to redundantly confirm a remote user really is an authorized party.
Access from Known Addresses – When providing remote access using products like Microsoft’s remote Desktop©, access should only be provided to specific assigned locations. The two most common methods are to assign access by either IP address or using a MAC address. An IP address of the remote user generally necessitates that the remote location have a static IP address, which is available from Internet Service Providers. The MAC address is a specific serial number of a network card on a PC or network; the liability with this solution is that the assignment must be changed if the network card is replaced.
Remote Support – Remote access passwords issued for outside vendors, such as your support company, must be temporary and assigned for each event and only be enabled when access is needed. Not only does this meet your security requirements, it also assures that you are aware of and involved in issues being resolved.
Two-Factor Authentication Models
There are several options for authenticating users on a network, in addition to a username and password combination, that can be used to provide a two-factor authentication method. Again, this is not expensive and depending upon your needs can be free and potentially have other benefits.
Something the user knows – A username and password is something a user knows and provides – the most obvious first authentication method. See PCI-DSS: Security Password Protection to assure strong passwords are properly defined for PCI-DSS compliancy.
Something the user has – One of the best free options works well for a limited number of users. PhoneFactor provides a second authentication method by calling a phone number (with a backup number) to confirm that you are authorized to log in. This provides the second method of authentication because the phone is something you have.
Other methods available include having an ID card, or security token like a Fob, which generates a password when needed.
Something the user is or does – Biometric devices like a fingerprint reader are a great example of this method and provide significant additional benefits. The latest fingerprint readers are quick and accurate for most organizations if properly configured. One key advantage of a fingerprint reader in the point of sale environment can be garnered if the software is programmed to allow a user to use the fingerprint as an authentication method to begin a sales transaction. This is an efficient way to identify the actual user who records every sale. Instead of entering a user code (and a potentially required password) they can simply touch the fingerprint reader to initiate a new sale or unlock the POS register. Not only is it quicker to read a fingerprint than to require users to enter usernames and passwords, it means sales associates or cashiers don’t need to remember their point of sale passwords.