PCI DSS 8.2.7: Secure Management of Third-Party Remote Access Accounts
Third-party remote access is a critical vulnerability vector in payment card environments. PCI DSS 8.2.7 requires organizations to implement restricted access controls and active monitoring for all vendor and contractor accounts. Failing to properly manage these accounts exposes your cardholder data environment to unauthorized access and data breaches.
What this means
This control mandates that any third-party accounts used for remote access to your systems must operate under the principle of least privilege with documented access restrictions. Organizations must maintain visibility into who has access, what they can do, and when they're accessing systems. This includes implementing strong authentication, limiting access duration, and continuously monitoring for suspicious activity or policy violations.
How to comply
- 1.Create a third-party access inventory documenting all vendors, contractors, and partners with remote access capabilities
- 2.Establish access policies defining specific permissions, access scope, and duration for each third-party account
- 3.Implement multi-factor authentication for all third-party remote access connections
- 4.Configure session timeouts and automatic disconnection after periods of inactivity
- 5.Establish monitoring and alerting for all third-party remote access activities and login attempts
- 6.Conduct quarterly reviews of active third-party accounts and revoke access for unused or terminated relationships
- 7.Require vendors to use VPN or secure tunnels for remote access to cardholder data environment systems
- 8.Document and communicate security requirements in vendor service level agreements
Evidence auditors look for
- Third-party access control policy specifying restricted permissions and monitoring requirements
- Documented inventory of third-party accounts with access levels and business justification
- Vendor service level agreements referencing PCI DSS security controls
- Evidence of multi-factor authentication enabled for third-party remote sessions
- Access logs showing third-party account activities and connection details
- Monitoring alerts for anomalous third-party remote access patterns
- Quarterly access review documentation with approval and revocation records
- VPN or secure tunnel configuration documentation for third-party connections
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates third-party access lifecycle management by tracking account inventories, enforcing approval workflows for new access, and continuously monitoring remote sessions—eliminating manual spreadsheet tracking and audit gaps.
See how GRCWatch handles this control automatically
Start free trial