(12.3) For critical employee-facing technologies, departmental procedures shall require:

• (12.3.1) explicit management approval to use the devices
• (12.3.2) that all device use is authenticated with username and password or other authentication item (for example, token)
• (12.3.3) a list of all devices and personnel authorized to use the devices
• (12.3.4) labeling of devices with owner, contact information, and purpose
• (12.3.8) automatic disconnect of modem sessions after a specific period of inactivity
• (12.3.9) activation of modems used by vendors only when needed by vendors, with immediate deactivation after use

Departmental usage standards shall include:

• (12.3.5) acceptable uses for the technology
• (12.3.6) acceptable network locations for the technology
• (12.3.7) a list of company-approved products
• (12.3.10) prohibition of the storage of cardholder data onto local hard drives, floppy disks, or other external media when accessing such data remotely via modem
• (12.3.10) prohibition of use of cut-and-paste and print functions during remote access