Want a Word document copy of the entire policy template? Sign up for the PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(12.3) For critical employee-facing technologies (inclusive of remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and personal data/digital assistants), departmental procedures shall require:

• (12.3.1) explicit management approval to use the devices
• (12.3.2) that all device use is authenticated with username and password or other authentication item (for example, token)
• (12.3.3) a list of all devices and personnel authorized to use the devices
• (12.3.4) labeling of devices with owner, contact information, and purpose
• (12.3.8) automatic disconnect of remote access technology sessions after a specific period of inactivity
• (12.3.9) activation of remote access technologies used by vendors only when needed by vendors, with immediate deactivation after use

Departmental usage standards shall include:

• (12.3.5) acceptable uses for the technology
• (12.3.6) acceptable network locations for the technology
• (12.3.7) a list of company-approved products
• (12.3.10) prohibition of the storage of cardholder data onto local hard drives and removable electronic media when accessing such data via remote access technologies
• (12.3.10) prohibition of copy, move, storage and print functions during remote access