Can your employees access customer systems remotely?
Explanation
At issue is whether your own employees have the ability to remotely access customer systems or environments. In the context of PCI DSS (Payment Card Industry Data Security Standard), this is important because remote access creates additional security risks, especially when dealing with systems that process, store, or transmit payment card data.
Remote access refers to the ability to connect to and interact with a system from a location outside of the customer's physical environment. This could include accessing customer servers, databases, applications, or networks through VPN, SSH, remote desktop tools, or other remote access technologies.
This question is being asked because:
- Remote access introduces additional attack vectors and security risks
- PCI DSS has specific requirements for securing remote access connections
- The assessor needs to understand if additional controls need to be evaluated
- Remote access to customer systems may require additional authorization, monitoring, and security measures
When answering this question, you should:
- Be clear about whether remote access to customer systems is allowed or not
- If remote access is allowed, explain the circumstances under which it occurs
- Describe the security controls in place to protect these remote connections
- Mention any authentication methods, access limitations, or monitoring in place
- Note any customer approval processes required before remote access is granted
Example Responses
Example Response 1
Yes, our support engineers can access customer systems remotely, but only under specific circumstances and with strict controls Remote access is only granted when troubleshooting issues that cannot be resolved through other means, and only after receiving explicit written approval from an authorized customer representative All remote access sessions require multi-factor authentication, are conducted through encrypted VPN tunnels, are limited to the specific systems necessary for troubleshooting, are logged and recorded, and are monitored in real-time by our security team Remote access credentials are unique to each engineer and are rotated every 30 days All remote access sessions are terminated immediately upon completion of the required work.
Example Response 2
No, our employees do not have remote access to customer systems Our service operates on a SaaS model where customers access our application through secure web interfaces All maintenance, updates, and support are performed on our own infrastructure, not on customer systems If troubleshooting is required, we work with customers to gather necessary logs and information through secure file transfer methods, but we never directly access customer environments or systems remotely.
Example Response 3
Currently, our technical support team does have the capability to remotely access customer systems for troubleshooting purposes, but we recognize this presents security risks We are in the process of implementing stronger controls around this access At present, remote access occurs through standard RDP or SSH connections with basic password authentication We do not yet have a formal customer approval process in place, though we typically notify customers before connecting We acknowledge this is an area for improvement in our security program, and we are working to implement multi-factor authentication, session recording, and formal access request procedures within the next quarter.
Context
- Tab
- Case-Specific
- Category
- Payment Card Industry Data Security Standard (PCI DSS)
Related questions
- Do you have a current, executed within the past year, Attestation of Compliance (AoC) or Report on Compliance (RoC)?
- Is the application listed as an approved Payment Application Data Security Standard (PA-DSS) application?
- Does the system or solutions use a third party to collect, store, process, or transmit cardholder (payment/credit/debt card) data?
- Do your systems or solutions store, process, or transmit cardholder (payment/credit/debt card) data?
- Are you compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
- Are you classified as a service provider?

