Requirement 10: Facilitate secure remote access to payment application

Details about how requirement 10 and subrequirements 10.1 and 10.2 are fulfilled.

Requirement 10.1

Multi-factor authentication must be used for all remote access to the payment application that originates from outside the customer environment.

If the organization of the licensee enables remote access, this must be secured in accordance with requirement 10 by using multi-factor authentication.

IBM® Safer Payments itself implements multi-factor authentication through the distribution of personalized client certificates, which must be imported with the browser that is being used. See Creating certificates with OpenSSL for details.

If your installation requires a multi-factor authentication, you can either use multi-factor authentication as provided by IBM Safer Payments or use a third party multi-factor solution. For example, a remote VPN access.

Requirement 10.2

Any remote access into the payment application must be performed securely.

10.2.1 If payment application updates are delivered via remote access into customers’ systems, software vendors must tell customers to turn on remote-access technologies only when needed for downloads from vendor, and to turn off immediately after download completes. Alternatively, if delivered via virtual private network (VPN) or other high-speed connection, software vendors must advise customers to properly configure a firewall or a personal firewall product to secure “always-on” connections.
This requirement applies only if the licensee accepts updates to be delivered using remote access. To be PCI DSS compliant, such remote access must be turned on only temporarily, and when needed. It must be turned off immediately after use. Notwithstanding, PCI DSS Requirement 1 must always be met.

Use a securely configured firewall or a personal firewall product, if the computer is connected over VPN or other high-speed connection, to secure these “always-on” connections, per PCI DSS Requirement 1.

10.2.2 If vendors or integrators/resellers can access customers’ payment applications remotely, a unique authentication credential (such as a password/phrase) must be used for each customer.
Currently, remote access to a customer's environment is not allowed for vendors or integrators/resellers.
10.2.3 Remote access to customers’ payment applications by vendors, integrators/resellers, or customers must be implemented securely.
For any remote access, remote access security features must be used. These include but are not limited to:
  • Change default settings in the remote access software. For example, change default passwords and use unique passwords for each customer.
  • Allow connections only from specific (known) IP/MAC addresses.
  • Use strong authentication and complex passwords for login.
  • Enable encrypted data transmission according to PA-DSS Requirement 12.1.
  • Enable account lockout after a certain number of failed login attempts.
  • Configure the system so a remote user must establish a Virtual Private Network (VPN) connection over a firewall before access is allowed.
  • Enable the logging function.
  • Restrict access to customer passwords to authorized reseller/integrator personnel.
  • Establish customer passwords according to PA-DSS Requirements 3.1.1 through 3.1.11.
For more information, see Requirement 3: Provide secure authentication features.