PCI Requirements for Out-Of-Band Management

Over the past few months we’ve received an influx of product requests for appliances that can solve PCI DSS rules regarding remote access for Out-of-Band Management.  According to our clients, PCI rules changes (last year) are now very clear about requiring two-factor authentication for all remote access.

PCI DSS Section 8.3 states:

Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

Prior to last year’s version of PCI DSS rules v 3.1, there may have been a gray area about what constituted two-factor authentication, now, however, the ambiguity of this position is very clear as rules now state,

“using two separate passwords is not considered two-factor authentication”.

Two factor authentication consists of something you know (password), and something you have on your person or at your location (equipment or token).  According to CDI’s customers, Out-of-Band Management, whether used for internal network use, or third-party network under management, requires two-factor authentication to be PCI compliant.

All devices in the CDI ecosystem are designed to provide native two-factor security.  Appliances are designed to easily integrate with network security tools, but also provide two-factor authentication without relying on the network.  This detail is important if the Out-of-Band connection is truly a method of last resort.

Many new perspective clients are looking to utilizing CDI’s 4G cellular wireless products for PCI complaint Out-of-Band Management.  The appliances are simple to use and manage, and much less expensive to operate month-over-month.  Average annual cost savings are significant.

For more information about PCI complaint CDI products please visit us here.