The Point-of-Rental Software Expert application does not support remote access capabilities. However, the underlying Windows Operating System (O/S) does support remote access. You, as a merchant, may choose to utilize these remote access capabilities, but in order to maintain PCI DSS compliance only remote access technology supporting two-factor authentication may be used. Two-factor authentication consisting of something you have, know, or are is required for remote access in order for you to maintain your PCI DSS compliance. In addition to the use of two-factor authentication, it is important to remember that the remote access capability should only be enabled when needed and disabled when no longer required. Furthermore, your remote access software must provide for the following features or configuration settings:
•You must ensure changes are made to the default setting in the remote access software;
•Remotes access software must be configured to only allow access from specific IP addresses;
•Encrypted data transmissions such as IPSEC VPN, SSH, 128-Bit SSL v3.0 or must enforced;
•Access to customer passwords must be restricted to authorized personnel;
•Logging of remote access must be enabled;
•Systems must be configured so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed;
•Unique user IDs must be used for each user account;
•Authentication composed of passwords and two-factor authentication must be used for remote access;
•Remote access must not require or use any group, shared, or generic accounts or passwords;
•Passwords must change every ninety (90) days or less;
•Passwords must be a minimum of seven (7) characters;
•Passwords must contain both numeric and alphabetic characters;
•Password history of the last four (4) passwords must be kept and new passwords must be different than any of the last four (4) passwords;
•Account lockout must occur after six (6) invalid logon attempts;
•Remote access accounts must be locked out for no less than thirty (30) minutes or until reset by a system administrator; and
•Remote access sessions must timeout after no more than fifteen (15) minutes of inactivity.
Note: All remote non-console administrative access to the payment application or servers in the environment must be encrypted utilizing SSH, VPN, SSL/TLS or other encryption technology in order to maintain PCI DSS compliance
In the case of Point-of-Rental Software customer support, Point-of-Rental Software utilizes the application TeamViewer for remote access. This access is only enabled during the time of support and must be disabled after support is concluded. Company uses AES256 encryption for securing the connection and with authentication based on a unique RSA private/public key combination for each Customer Support Engineer, further secured by the use of RSA tokens for each engineer in order to access their assigned keys.
To use the TeamViewer, Company engineer will direct you to the TeamViewer website to download and run the client. Company engineer will have you run the TeamViewer remote access software and you will verbally provide the engineer with the Session ID and password. Using this information, the engineer will authenticate to your system and assist with troubleshooting any issues. Once troubleshooting is complete, you will exit the TeamViewer application, terminating any remote access. Company will never have access to your computers without you initiating connectivity first.
Note: It is imperative that you terminate the TeamViewer connection when requested so as not have a persistent remote-access point into your network. This is required in order for you to maintain your PCI DSS compliance.