HeaderPolicies Home Home Search Help Careers News Events Contact Us
PDF

Policy 5.18
Cardholder Data Environment Remote Access Policy

Responsible Official: Enterprise CIO and Sr. Vice Provost for Library Services and Digital Scholarship
Administering Division/Department: Payment Card (PCI) Policies
Effective Date: April 29, 2015
Last Revision: May 15, 2015

Policy Sections:

Overview

This policy explains Emory’s official position on how the organization restricts remote access to the Cardholder Data Environment (CDE).

Applicability

This policy applies to the people, process, and technology involved with accessing and/or governing remote access to the Cardholder Data Environment (CDE). 

Policy Details

All use of portable computing devices, such as remote computers, laptops, workstations, or mobile devices, regardless of whether they are employee owned or company owned are prohibited from remotely connecting directly to the Cardholder Data Environment (CDE) at all times.  Any remote access to the Cardholder Data Environment (CDE) must go through an Emory-approved “jump-box” with specific standards that will meet or exceed PCI DSS requirements.

User/Jump-Box Requirements:

·      User must be a part of the PCI Core VPN Group

·      User must utilize two factor authentication (such as a secure ID token) to access the jump-box

·      User must use an Emory-owned Computer

·      Jump-box must be managed by LITS, Libraries and Information Technology Services

·      Jump-box must be configured and managed in a manner that complies with all PCI Data Security Standard requirements, and must receive explicit approval from LITS Enterprise Security prior to use.

·      Physical and Logical location of Jump-box within the Emory environment must be approved by LITS Enterprise Security prior to use.

Definitions

Cardholder Data - At a minimum, cardholder data should consist of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.

CDE - Acronym for “cardholder data environment.” The people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data.

Related Links

Revision History