PCI Question: Two Factor Authentication

In order to be PCI compliant - would all network logins in a company need to be two factor?  Or could you limit factor say to just when people are VPN'ing in to the company?  That is - in PCI compliant companies  - when the employees come in to the office do they need to use two factor authentication to get onto their machines and the LAN and start working?
amigan_99Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
Two factor for VPN, and only if the VPN would allow someone to access PCI servers, data or networks (which is the case for 99% of companies that use VPN's).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amigan_99Network EngineerAuthor Commented:
Thank you much!
btanExec ConsultantCommented:
for remote admin by those sys admin (regardless of VPN), likewise 2FA is critical and should be consider as mandatory. Ideally there is SSO across related apps using that single identity
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

amigan_99Network EngineerAuthor Commented:
Hi Bread - can you clarify what you mean by remote administration?  If I come into the home office and RDP to the Domain Controller so I can add some users say and that is reached via WAN and is in the data center 100 miles away - are you saying *that* would need 2FA?
btanExec ConsultantCommented:
yap :) VPN is to secure channel while 2FA is to the identity.

Home user access intranet - VPN minimally.
Sysadmin access remotely (no physically in server) - 2FA + secure channel minimally.

but typically VPN like anyconnect can tie to smartcard - so I do see as long as it is remote, 2FA comes together naturally (hopefully not resort to username passwd where possible)
amigan_99Network EngineerAuthor Commented:
Thanks much for the insight
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.