Requirement 12: Secure all non-console administrative access
Details about how requirement 12 and subrequirements 12.1 and 12.2 are fulfilled.
Requirement 12.1
If the payment application facilitates non-console administrative access, encrypt all such access with strong cryptography using technologies such as SSH, VPN, or TLS, for web-based management and other non-console administrative access.
All administrative access to IBM® Safer Payments is over the IBM Safer Payments API and natively uses the http or https protocol. To comply with this requirement, all API communication must use the https protocol only, providing strong encryption. This can be achieved with the internal SSL encryption function of IBM Safer Payments. For more information, see Configuring SSL encryption.
- Requirement 12.1.1 Instruct customers to encrypt all non-console administrative access with strong cryptography, using technologies such as SSH, VPN, or TLSv1.2 for web-based management and other non-console administrative access.
- This requirement aligns with PCI DSS requirement 2.3. To be compliant, you are required to use strong cryptography for non-console administrative access. Use technologies such as SSH2, VPN, or TLSv1.2 (use at least 128-bit encryption strength). Do not use telnet or rlogin for remote access to Safer Payments servers.
Requirement 12.2
Use multi-factor authentication for all personnel with non-console administrative access.
You must implement processes to make sure that for all non-console administrative access multi-factor authentication is used.
- Something you have, such as a token device or a smart card.
- Something you are, such as a biometric identification.
- Something you know, such as a password or a passphrase.
To achieve multi-factor authentication, you can either use a third-party solution or the built-in IBM Safer Payments solution, which is described in Creating certificates with OpenSSL.