Mercury Payments - Remote Access Rules (PCI)

Follow these basic rules to effectively manage remote access for your merchants:

1. Limit the number of people who can access the system remotely. Only allow and provide remote access to those who have a strong business need. This typically includes the POS system vendor/reseller for remote service. Owners, management and administrators of the merchant location may also require remote access.

2. Do not share remote access credentials. Ensure that each user with remote access has unique credentials.

3. Disable remote access user accounts when no longer needed. Keep track of all the users to be sure that remote access is still necessary.

4. Utilize two-factor authentication whenever possible. Using two factors as opposed to one delivers a higher level of authentication assurance.

5. Never leave remote access software on and “listening” for incoming connections. It is always best to select a remote access package that requires a user at the merchant site to start or log on to initiate a remote access session.

To find more resources and information about Payment Card Industry Data Security Standards on Mercury’s web site, click here.

Copyright - Mercury Payments Systems
The Mercury Messanger January 2008
http://www.mercurypay.com/go/messenger0108/remote_access.html