Does it violate PCI DSS requirements to provide a third party company with a Site-to-Site VPN connection for full management (SSH & HTTPS) access to network security equipment (such as a Web Application Firewall) that protects data in a PCI environment?
Also, would it violate PCI DSS requirements if the third party company provides their employees with Cisco AnyConnect so that essentially they can connect to their work network from anywhere and then bounce off the Site-to-Site VPN to those same network security appliances?
If either or both of those scenarios violates PCI DSS requirements where would I find a reference for it?
Thank you!
