PCI Requirement 2.3 – Encryption

by Randy Bartels / June 30th, 2017

Administrative Access and Strong Encryption

PCI Requirement 2.3 calls out the need to encrypt all non-console administrative access using strong cryptography. If your organization does not meet PCI Requirement 2.3, a malicious user could eavesdrop on your network’s traffic and gain sensitive administrative or operational information.

Your organization does not have to encrypt all types of access, just administrative access. So, what does “administrative access” mean? If a user has the ability to impact or make changes to a system or a setting that would impact the security of the sensitive data that you are trying to protect, that user should be classified as an administrative-type role. Or, if a user has the ability to impact the security of another user or change another user’s experience, that user should also be considered in an administrative-type role.

PCI Requirement 2.3 also instructs organization to use “strong cryptography,” but what exactly is classified as “strong cryptography”? The PCI DSS states, “To be considered ‘strong cryptography,’ industry-recognized protocols with appropriate key strengths and key management should be in place as applicable for the type of technology in use.”

During the PCI Requirement 2.3 assessment, your assessor should observe administrators logging on to verify a couple of things. First, the system configurations should be examined to prove that a strong encryption method was invoked before the administrator’s password is requested. Observing an administrator log on to each system will also prove, “Administrator access to any web-based management interfaces is encrypted with strong cryptography.” In addition to observing administrators, the assessor needs to examine vendor documentation to ensure your vendors are also implementing strong cryptography according to industry standards.

We encourage your organization to be aware of how you are connecting to your assets and that you are only using secure protocols, ports, and services. Encryption can prevent a malicious user from accessing your organization’s network, becoming an administrator, and taking data.

PCI DSS Requirement 2.3

PCI DSS Requirement 2.3 calls out the need to encrypt all non-console administrative access. This doesn’t mean you have to encrypt all access; we’re only looking to see that you’re encrypting administrative-type access.

Now, I want to talk a little bit about administrative access and, from an assessment perspective, how we classify administrative. If you have the ability to impact or making changes to a system or a setting that would impact the security of the data that you’re trying to protect, or you have the ability to impact the security of a user or change a user’s experience, we put those types of actions in the administrative-type role.

From an assessment perspective, the assessor is likely to ask you for the results of an Nmap scan that’s been run against your environment. What this will define for us is what protocols, ports, and services you actually have open. We’re going to be looking at the installed and running services. One of the things we’re going to look for is: you might have VMC running, you might have telnet running, you might have a plethora of different protocols, ports, and services that are open and applications that are running in order to support these remote-access services.

You’re required to have these encrypted and they need to be encrypted with strong cryptography. As part of this, there might be situations where you as an organization might have a Legacy main frame server running some type of TN3270 but it only supports TLS 1.0. In situations like that, from an assessment perspective, we would have to look for other security features that you can implement or perhaps put a wrapper around these protocols to secure them. As to give an example, if you’re running a Microsoft server, there’s different negotiation levels that these servers will encrypt. Typically, the default setting is to negotiate. From a security and assessment perspective, we look to see the encryption settings for the RPI set to high. This forces strong encryption.

So, be aware of how you’re connecting to your assets, making sure that the protocols, ports, and services that you’re using are secure. The intent behind this is to prevent a malicious user that may be in your environment from sniffing this traffic and gaining the authentication credentials.