3.5 More Information
9
and to turn off immediately after download completes. Alternatively, if delivered via VPN or other high-speed con-
nection, software vendors must advise customers to properly configure a firewall or a personal firewall product to
secure authentication using a two factor authentication mechanism. PCI Data Security Standard Requirement 8.3
10.2 If payment application may be accessed remotely, remote access to the payment application must be authen-
ticated using a two factor authentication mechanism. PCI Data Security Standard Requirement 8.3
10.3 Any remote access into the payment application must be done securely. If vendors, resellers/integrators, or
customers can access customers payment applications remotely, the remote access must be implemented securely.
PCI Data Security Standard Requirements 1, 8.3 and 12.3.9
11. Encrypt sensitive traffic over public networks
11.1 If the payment application sends, or facilitates sending, cardholder data over public networks, the payment
application must support use of strong cryptography and security protocols such as SSL/TLS and Internet protocol
security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples
of open, public networks that are in scope of the PCI DSS are: The Internet Wireless technologies Global System for
Mobile Communications (GSM) General Packet Radio Service (GPRS) PCI Data Security Standard Requirement
4.1
11.2 The payment application must never send unencrypted PANs by end-user messaging technologies (for exam-
ple, e-mail, instant messaging, and chat). PCI Data Security Standard Requirement 4.2
12. Encrypt all non-console administrative access
12.1 Instruct customers to encrypt all non-console administrative access using technologies such as SSH, VPN, or
SSL/TLS for web-based management and other non-console administrative access. Telnet or remote login must
never be used for administrative access. PCI Data Security Standard Requirement 2.3
13. Maintain instructional documentation and training programs for customers, resellers, and integrators
13.1 Develop, maintain, and disseminate a PA-DSS Implementation Guide(s) for customers, resellers, and integra-
tors that accomplishes the following:
• Addresses all requirements in this document wherever the PA-DSS Implementation Guide is referenced.
• Includes a review at least annually and updates to keep the documentation current with all major and minor
software changes as well as with changes to the requirements in this document.
13.2 Develop and implement training and communication programs to ensure payment application resellers and
integrators know how to implement the payment application and related systems and networks according to the
PA-DSS Implementation Guide and in a PCI DSS-compliant manner.
• Update the training materials on an annual basis and whenever new payment application versions are re-
leased.
3.5
More Information
IDTech Systems, Inc. highly recommends that merchants contact the card association(s) or their processing com-
pany and find out exactly what they mandate and/or recommend. Doing so may help merchants protect themselves
from fines and fraud.
For more information related to security, visit:
IDTech iOS SDK Guide for NEO2 #80152802-001
