0

Requirement 8.3: Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

Current Situation:

We need to be PCI compliant in 2 regions (eg Japan and Thailand) but we have other 5 countries in Asia which is interconnected with private MPLS link.

In Japan and Thailand we are PCI compliant level 4. We have implemented 2FA for vendors/service providers etc.

My Question is: Do the other offices (Singapore, Malaysia, India) access restricted to the Japan and Thailand as we are able to connect through private MPLS link? Or is it OK as we are connecting only through a private link.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
PCIrs
  • 307
  • 1
  • 3
  • 12

1 Answers1

2

Disclaimer: IANAQSA, and if you're level 4, you probably don't have one. Be cautious.

My Question is: Do the other offices (Singapore, Malaysia, India) access restricted to the Japan and Thailand as we are able to connect through private MPLS link? Or is it OK as we are connecting only through a private link.

This is really a question of Scope - see pages 10-11 of PCI DSS 3.1. Section 8.3 is designed to cover the case of remote (which usually means intermittent, not always-on) access.

The guidance for 8.3 says:

If remote access is to an entity’s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, two-factor authentication for remote access to that network would not be required.

and the Network Segmentation section on page 11 states:

Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.

So the answer to your question is:

  1. If the remote (Singapore/Malaysia/India) sites have unrestricted access to your in-scope networks in Japan/Thailand via the MPLS, then they are also in-scope, and require the same level of PCI controls as Japan/Thailand. (That includes 2FA for any remote-remote users, e.g., users who VPN into India and can then connect over the MPLS to Japan)
  2. If the remote sites are properly restricted via Network Segmentation as described in the DSS, then 2FA is not required for the site or for access from the site in general. Access for a user at a remote site to in-scope resources at an in-scope site may require 2FA - again, to quote 8.3:

However, two-factor authentication is required for any remote access to networks with access to the cardholder data environment

(In fact, depending on the QSA, if you have both in-scope and out-of-scope networks at your Japan/Thailand sites, you may need multiple factors to identify site-local users who access the in-scope CDE from the out-of-scope network. I've seen varying levels of rigor on this topic from different QSAs)

gowenfawr
  • 71,975
  • 17
  • 161
  • 198