WithPCI Logo
WithPCI.com

2.2.7 All non-console administrative access is encrypted using strong cryptography.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

2.2.7 All non-console administrative access is encrypted using strong cryptography.

Customized Approach Objective

Unauthorized individuals cannot view or collect data transmitted during administration of system components.

Applicability Notes

This includes administrative access via browser-based interfaces and application programming interfaces (APIs).

Defined Approach Testing Procedures

2.2.7.a Examine system configuration standards to verify they require all non-console administrative access to be encrypted with strong cryptography.

2.2.7.b Observe an administrator log on to system components and examine system configurations to verify that non-console administrative access is encrypted with strong cryptography.

Purpose

If non-console (including remote) administration does not use secure authentication and encrypted communications, sensitive administrative or operational information (like administrator passwords) can be revealed to an eavesdropper. A malicious individual could use this information to access the network, become administrator, and steal data.

Good Practice

Clear-text protocols such as HTTP, Telnet, or rlogin should never be used for administrative access.

Technologies for non-console administrative access include, but are not limited to, SSH, VPN, or TLS for web-based management and other non-console administrative access.

purpose

Ensure all non-console administrative access is encrypted to prevent interception of sensitive administrative information.

whats required for compliance

  • Encrypt all non-console administrative access with strong cryptography
  • Include browser-based interfaces and APIs in encryption requirements

compliance strategies

  • Implementation of secure protocols (SSH, HTTPS, VPN)
  • Regular audit of administrative access methods
  • Encryption validation testing

typical policies procedures

  • Remote Access Policy
  • Secure Administration Procedure
  • Encryption Standards Policy

common pitfalls failures

  • Use of clear-text protocols
  • Weak encryption configurations
  • Incomplete implementation across all systems

type

Technical Control

difficulty

Moderate

key risks

  • Administrative credential interception
  • Man-in-the-middle attacks
  • Unauthorized system access

product vendor recommendations

  • SSH tools
  • VPN solutions (Cisco, Fortinet, Palo Alto)
  • TLS/HTTPS for web management
  • Privileged Access Management (PAM) solutions

Eligible SAQ

  • SAQ-A
  • SAQ-A-EP
  • SAQ-B-IP
  • SAQ-C
  • SAQ-C-VT
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy