"Remote Access" in PCI DSS 3.2
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed, disabled when not in use and monitored when in use.
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication
8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.
This requirement is intended to apply to all personnel--including general users, administrators, and vendors (for support or maintenance) with remote access to the network--where that remote access could lead to access to the CDE. If remote access is to an entity’s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity’s networks.
8.5.1 Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
How to define "Remote Access”?
- Remote access is the ability to get access to a computer or a network from a remote distance.
- Remote access provides end users with the ability to access resources on the corporate network from a distant location.
- Ability to log on to a network, or to another computer over a network.
- Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN. This latest definition is given by the PCI glossary V3.2
Obviously the term "Remote access" is associated with the notion of distance. This raises another question in my wicked mind: How distant should one be from the target server to be considered remote? ... I leave it with you.
Remote access = access for authorized users external to an enclave established through a controlled access point at the enclave boundary.
Applied to PCI, the definition becomes: Access for authorized users external to the CDE established through a controlled access point at the CDE boundary. In other words, access from a computer located outside the CDE to the CDE or a network segment/server connected to the CDE.