Want a Word document copy of the entire policy template? Sign up for theĀ PCI DSS Guru newsletter and receive a free copy that you can edit and use in your organization!

(12.3) For critical employee-facing technologies, departmental procedures shall require:

  • (12.3.1) explicit management approval to use the devices
  • (12.3.2) that all device use is authenticated with username and password or other authentication item (for example, token)
  • (12.3.3) a list of all devices and personnel authorized to use the devices
  • (12.3.4) labeling of devices with owner, contact information, and purpose
  • (12.3.8) automatic disconnect of modem sessions after a specific period of inactivity
  • (12.3.9) activation of remote access technologies used by vendors only when needed by vendors, with immediate deactivation after use

Departmental usage standards shall include:

  • (12.3.5) acceptable uses for the technology
  • (12.3.6) acceptable network locations for the technology
  • (12.3.7) a list of company-approved products
  • (12.3.10) prohibition of the storage of cardholder data onto local hard drives, floppy disks, or other external media when accessing such data remotely via remote access technologies
  • (12.3.10) prohibition of use of cut-and-paste and print functions during remote access