Per PCI DSS requirement 2.3, for any non-console access to the server, you must use technologies like SSH, VPN, or TLS (1.2 or newer) for encryption. Telnet or rlogin or other non-encrypted protocols must not be used for remote administrative access.
CloudBlue uses remote access to your Billing environment for support and updates. Also, your staff members may access the Billing environment remotely for administrative work.
You must enforce secure access, which includes, but is not limited to:
- Changing default settings in the remote access software (for example, change default passwords and use unique passwords for each customer).
- Allowing connections only from specific (known) IP/MAC addresses.
- Using strong authentication and complex passwords for logins according to PCI DSS requirements 8.1, 8.3, and 8.5–8.5.1.
- Enabling encrypted data transmission according to PCI DSS requirement 4.1. For example, use strong cryptography and security protocols such as TLS (1.2 or newer) or IPSEC.
- Enabling account lockout after a certain number of failed login attempts according to PCI DSS requirement 8.1.6
- Configuring the system so a remote user must establish a Virtual Private Network (VPN) connection via a firewall before access is allowed.
- Enabling the logging function.
- Restricting access to customer passwords to authorized reseller/integrator personnel.
- Establishing customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, and 8.5.
- Configuring HTTPS to access Provider Control Panel. For more information, please refer to Knowledge Base Article #44001889619.