PCI DSS 2.2.7: Encrypting Non-Console Administrative Access
Non-console administrative access is a critical attack vector that requires strong cryptographic protection under PCI DSS 2.2.7. This control ensures that SSH, HTTPS, and other remote administrative channels cannot be intercepted or compromised. Implementing proper encryption is essential for protecting sensitive systems and maintaining PCI compliance.
What this means
PCI DSS 2.2.7 requires that all administrative access methods that don't use physical console connections must use strong cryptography to protect data in transit. This includes remote access protocols like SSH, TLS/SSL for web-based management interfaces, and VPN connections. The encryption must be applied to both authentication and session traffic to prevent credential theft and unauthorized system modifications.
How to comply
- 1.Disable unencrypted administrative protocols (Telnet, HTTP) on all systems and network devices
- 2.Enforce TLS 1.2 or higher for all web-based administrative interfaces
- 3.Configure SSH with strong key exchange algorithms and ciphers (minimum 256-bit encryption)
- 4.Implement VPN for remote administrative access with AES-256 or equivalent encryption
- 5.Enforce multi-factor authentication alongside encrypted channels for admin access
- 6.Document and maintain an inventory of all administrative access methods and their encryption standards
- 7.Test encrypted channels regularly to ensure no downgrade attacks or weak cipher suites are active
- 8.Configure session timeouts to minimize exposure window for encrypted administrative sessions
Evidence auditors look for
- SSH configuration files (sshd_config) showing enabled encryption algorithms and disabled weak protocols
- Web server configuration files demonstrating TLS 1.2+ enforcement and HSTS headers
- VPN gateway logs confirming AES-256 or equivalent encryption for all tunnels
- Network device configurations showing disabled Telnet/HTTP with SSH/HTTPS enabled
- Firewall rules blocking unencrypted administrative ports (23, 80 for admin interfaces)
- Vulnerability scan reports confirming no weak cipher suites in administrative access points
- Access logs from administrative interfaces showing only encrypted protocol usage
- Certificate inventory documenting valid TLS certificates for all administrative endpoints
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and monitors all administrative access points across your infrastructure, flags unencrypted protocols, and provides pre-built evidence collection for PCI DSS 2.2.7 audits—eliminating manual protocol audits.
See how GRCWatch handles this control automatically
Start free trial