B O M G A R . CO M

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) VERSION 3.2 COMPLIANCE Bomgar offers secure remote support solutions that enable organizations to be compliant with PCI DSS requirements.

INTRODUCTION This document examines how the Bomgar Remote Support Solution aligns with the requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS) version 3.2. This document should be used as a guide and not a validation of the Bomgar solution with the PCI DSS standard. No single software product can ensure or implement “PCI compliance” for any enterprise. Nor is any software product in itself, “PCI compliant.” Compliance to the PCI Data Security Standard (DSS) requires a combination of business practices, personnel management, physical restrictions, and software tools. Nevertheless, specific provisions contained in the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures Version 3.2 document of the PCI Security Standards Council LLC, https://www.pcisecuritystandards.org/, reference features and configuration options offered by Bomgar. This paper provides responses to those specific PCI requirements relevant to a Bomgar on-premises implementation based on Bomgar Enterprise Remote Support software version 16.1.2.

Note: In addition to Bomgar’s proprietary remote support application layer protocol, Bomgar also can support the use of additional protocols for Intel vPro, SSH, Telnet, and RDP. The use of these additional protocols for remote connectivity require administrative configuration and special privilege authorization for service technicians. The responses below relate to the native Bomgar remote support protocol, not the optional additional protocols. Although the responses below reflect utilization of the Bomgar protocol, the use of these additional protocols may also be implemented in a manner that does not compromise PCI compliance; however, their use in a PCI environment and their adherence to the PCI DSS requirements would be largely subject to the implementation practices of the entity organization. For example, if an entity organization elected to use the RDP protocol for connectivity in lieu of the native Bomgar application protocol, securing the RDP portion of the network path becomes the sole responsibility of the entity organization. For environments subject to the PCI DSS, Bomgar’s recommended best practice is to use only the Bomgar application protocol.

BOMGAR AND PCI DSS V E R S I O N 3.2 CO M P L I A N C E Bomgar is the leader in enterprise remote support solutions for easily and securely supporting computing systems and mobile devices. The company’s products help organizations improve tech support efficiency and performance by enabling them to securely support nearly any device or system, anywhere in the world — including Windows, Mac, Linux, iOS, Android, BlackBerry and more. Bomgar’s solutions are not directly subject to the PCI DSS requirements. If Bomgar is used by an organization that is subject to the PCI DSS, it is up to a PCI Qualified Security Assessor (QSA) and the organization to determine the scope for their compliance assessment. The table on the following page highlights a subset of applicable PCI DSS requirements and how they are addressed by features within Bomgar. This is not an exhaustive list, but includes the most relevant features for supporting PCI DSS compliance. For more information about Bomgar’s full set of security features, please visit www.bomgar.com/products/security.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

BOMGAR RESPONSE

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

The Bomgar architecture significantly enhances the ability of entity organizations to construct firewall configurations that adhere to Requirement 1. All Bomgar client connections are outbound from the client computing device to the Bomgar application appliance. Thus, remote support may be initiated by a service technician without requiring the availability of open, listening, network ports on the end device. Indeed, the PCI-subject end points may be protected by a firewall that does not allow any inbound connectivity whatsoever.

1.1.6

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

All requests for support, Click-to-Chat interactions, and remote control sessions originate as outbound TCP/IP communications from the remote computing device to the Bomgar appliance. These inbound requests to the appliance are generally transparent to intervening firewalls and allows customers to be supported both on-network and off-network with the same measure of security. Bomgar appliance-hosted web portal pages may accept port 80 connections or administrators may restrict portal page access to port 443 (HTTPS). In any event, the Click-to-Chat and remote support connections utilize port 443 TLS 1.2 connections using a Bomgar proprietary application layer protocol. Outbound connectivity from the appliance may optionally be permitted for DNS lookups, enterprise directory authentication, NTP time service synchronization, ITSM ticketing system integration, and a small number of other functions. Details on port utilization is documented in The Bomgar Appliance in the Network: www.bomgar.com/docs/content/documents/ bomgarapplianceinnetwork.pdf

1.3.4

1.3.6

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

Even though all remote support connections are outbound from the remote computing device, the only destination these devices are capable of communicating with is the Bomgar system. The client applications are preconfigured with the DNS name unique to the entity organization’s Bomgar system and the communication TLS 1.2 encryption is established using an x.509 certificate provided by the entity organization and preconfigured in the client application. Thus, the only system capable of receiving these outbound communications is the Bomgar application appliance which holds the private key associated with the x.509 certificate.

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

An administrative option may enable the video capture of the remote device desktop by the Bomgar application during a remote support session. If a credit card number were to appear on the screen of the remote device, then that video file is subject to this PCI DSS requirement. Video capture is optional and the DSS does not require video capture. Also, there is no requirement that the Bomgar appliance be located in the DMZ. It may be placed in a network location appropriate for access to systems that manifest cardholder data without making the appliance accessible to other networks. When the video option is enabled, that video may reside on the Bomgar appliance for a maximum of 90-days and a minimum of one day. See additional details in Requirement 3, below.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

BOMGAR RESPONSE

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2.1

Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

The two administrative interfaces are supplied with initial default credentials at the time of system installation. Upon first use, Bomgar forces a change of password before any administrative features can be accessed. It is not possible to implement Bomgar without changing the initial default passwords.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

See responses to 2.2.1 - 2.2.4 below

2.2.1

Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Bomgar is an appliance-based product and its only function is to provide secure remote support.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

As an appliance-based product, Bomgar has eliminated all superfluous services, protocols, and operating system daemons. Only services and protocols required by the Bomgar application are present on the Bomgar appliance.

2.2.4

Configure system security parameters to prevent misuse.

Bomgar offers a number of security parameter options that should be reviewed and assigned as appropriate for the system use case. For example, administrators may enable or disable a range of cipher suites used for communications. In controlled environments, a restricted set of high strength cipher suites may be suitable. Alternatively, for customers supporting the public with a wide range of browsers and browser versions needing to access a web portal, a wider collection of cipher suites might be enabled. The main point is to not merely accept the default configuration options. All security and communication options should be evaluated and assigned appropriately by the entity organization.

2.3

Encrypt all non-console administrative access using strong cryptography. Note: Where SSL/ early TLS is used, the requirements in Appendix A2 must be completed.

Administrative access is provided via a browser-based interface using TLS 1.2 encryption. Administrative access may be further restricted to only designated network segments. Direct access to the physical Bomgar appliance operating system console is not available.

2.6

Shared hosting providers must protect each Nothing in PCI DSS Appendix A1 is applicable to Bomgar onentity’s hosted environment and cardholder data. premises appliance deployments. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

BOMGAR RESPONSE

Requirement 3: Protect stored cardholder data

3.1

Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: • Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements • Specific retention requirements for cardholder data • Processes for secure deletion of data when no longer needed • A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.

There are only two ways in which the Bomgar application could store cardholder data. The first way is if that data are displayed on a remote desktop during a support session and when the optional video recording is enabled and if the entity organization fails adherence to Requirement 3.3 which requires masking of the PAN. The second possibility for the Bomgar application to retain cardholder data is if such data are transmitted via a text chat interaction during the support session. This is also prohibited by the PCI DSS. The text chat transcript and the optional video recording may be retained on the Bomgar appliance for a maximum of 90-days and a minimum of one day. This retention interval is administratively defined and is enforced automatically.

3.2

Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process

Although item 3.2 seems to apply to cardholder authentication, it is worth noting that service technician authentication data are not retained after authentication when service technician authentication is provided by an enterprise directory (such as Microsoft Active Directory) or via multi-factor authentication (MFA) using a RADIUS interface. Authentication via an enterprise directory or MFA is recommended. An administrative option can disallow service technicians from locally saving their Bomgar login credentials.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks…

The remote support connections use 256-bit encryption within a TLS 1.2 tunnel. An attempt to perform early TLS termination is detected by Bomgar and is not permitted. If cardholder data are visible on a remote screen during a support session, that data is communicated within the encrypted tunnel from the originating remote device all the way through to the service technician’s Bomgar Representative Console application.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

5.1

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

No mechanism exists for either a service technician or a remote computing device (the customer) to place a file on the Bomgar appliance during a support session. The Bomgar appliance does not make available NFS or CIFS shares. The Bomgar remote support session is a client-server application conducted via a Bomgar proprietary application layer protocol. That protocol does not make available any capability for files to be stored on the appliance or executed by the Bomgar appliance processor during a support session.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

5.1.2

For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

BOMGAR RESPONSE Bomgar conducts its own vulnerability scans of each software release, engages with an independent 3rd party for penetration testing, performs static analysis of certain aspects of the product, and welcomes security evaluations conducted by our customers.

Requirement 6: Develop and maintain secure systems and applications

6.2

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

In addition to feature upgrades, Bomgar releases an appropriate number of security patch and bug-fix software releases each year. In the event of a high-severity incident, a security patch will be released as quickly as possible. Registered system administrators are notified via email whenever Bomgar has prepared a software update for their Bomgar system. It is important to ensure that Bomgar always has up-to-date contact information for system administrators.

Requirement 7: Restrict access to cardholder data by business need to know

7.1

Limit access to system components and cardholder data to only those individuals whose job requires such access.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

7.1.3

Assign access based on individual personnel’s job classification and function.

7.2

Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

Bomgar offers highly granular control over service technician access and privileges. Care should be taken to construct Bomgar Group Policies to provision privileges appropriately. Bomgar allows for varying levels of access for remote support, administrative functions, and reporting. Any privileges not specifically granted are denied by default.

Requirement 8: Identify and authenticate access to system components

8.1

Define and implement policies and procedures See responses to 8.1.1-8.1.8 below to ensure proper user identification management for non-consumer users and administrators on all system components as follows:

8.1.1

Assign all users a unique ID before allowing them Bomgar highly recommends that service technician to access system components or cardholder data. authentication be performed via an enterprise directory (such as Microsoft Active Directory, OpenLDAP, etc.) or via RADIUS and multi-factor. With Bomgar’s concurrent licensing model, there is no need or incentive to ever share a Bomgar service technician credential. This licensing model preserves accountability.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

BOMGAR RESPONSE

8.1.2

Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.

When integrated with an enterprise directory or RADIUS interface, the Bomgar system does not manage service technician credentials. All addition, deletion, and modification activities are conducted on the enterprise directory.

8.1.3

Immediately revoke access for any terminated users.

When any service technician credential is disabled in the enterprise directory or RADIUS directory, that technician immediately loses the ability to authenticate to Bomgar.

8.1.4

Remove/disable inactive user accounts at least every 90 days.

When integrated with an enterprise directory or RADIUS interface, the Bomgar system does not manage service technician credentials. Inactivity expiration is provided by the enterprise directory.

8.1.5

Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: • Enabled only during the time period needed and disabled when not in use. • Monitored when in use.

Bomgar provides features to facilitate the access & management of third party personnel. These third party service technician credentials may be managed via an enterprise directory, RADIUS, or via credentials locally defined within Bomgar. Vendor access may be circumscribed appropriately according to job function and can, for example, be limited to certain days & hours of permitted access. Additionally, monitoring of third party access can be implemented as real time escorted access wherein authorized entity personnel invite participation and collaborate with the third party service technician. Alternatively, third party personnel may be provisioned with direct access wherein the monitoring by authorized entity personnel may occur after the fact through the reporting and video recording of the third party access. The video of the third party access session can be reviewed at up to sixteen times normal speed. This enhances the efficiency of the monitoring activity by entity organization personnel.

8.1.6

Limit repeated access attempts by locking out the user ID after not more than six attempts.

Bomgar provides an administrative option to lock out a credential after any specified number of failed logon attempts for locally defined accounts.

8.1.7

Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

Once a service technician local credential has been locked out due to exceeding the failed logon attempt threshold, the account is locked until reset by an authorized administrator.

8.1.8

If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

Bomgar offers an idle session timeout administrative setting that can range from 5 minutes to a maximum of 24 hours. When the idle limit is reached, the remote support session is dropped.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

BOMGAR RESPONSE

8.2

In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: • Something you know, such as a password or passphrase. • Something you have, such as a token, device or smart card. • Something you are, such as a biometric.

The authentication of administrators and non-consumer users requires no less than an ID and a password or passphrase. Such authentication is typically performed by the entity organization enterprise directory. In addition, Bomgar offers multi-factor authentication (MFA) via a RADIUS interface and Bomgar Verify.

8.2.1

Using strong cryptography, render all authentication credentials (such as passwords/ phrases) unreadable during transmission and storage on all system components.

When authenticating, service technician credentials travel via TLS 1.2 encryption from the technician work station or computing device to the Bomgar appliance. When integrated with an enterprise directory, those credentials are then conveyed to an appropriate controller (such as a Microsoft Active Directory Domain Controller or Global Catalog server) via encryption provided by the controller. In a Microsoft Active Directory installation it is strongly recommended that the encrypted port (typically port 636) interface be used for the LDAPS Read/Only authentication queries.

8.2.3

Passwords/phrases must meet the following:

When integrated with an enterprise directory or RADIUS interface, the Bomgar system does not manage service technician credentials or policies. These policy requirements are determined by the enterprise directory configuration.

• Require a minimum length of at least seven characters. • Contain both numeric and alphabetic characters.

8.2.4

Change user passwords/passphrases at least every 90 days.

8.2.5

Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.

8.2.6

Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.

8.3

Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.

Bomgar supports concurrent integration with multiple directories. Therefore, multi-factor authentication (MFA) may be mandated for certain classes of service technicians (such as third party vendors or remote workers) and system administrators. Bomgar suggests that MFA be employed for all service technician authentications both local and remote.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

8.3.1

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

BOMGAR RESPONSE Bomgar provides MFA via a RADIUS interface. This accommodates support of a wide range of MFA products, nearly all of which offer RADIUS server interfaces.

*Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

8.3.2

Incorporate multi-factor authentication for Bomgar provides MFA via a RADIUS interface. This all remote network access (both user and accommodates support of a wide range of MFA products, nearly administrator, and including third-party access for all of which offer RADIUS server interfaces. support or maintenance) originating from outside the entity’s network.

8.5

Do not use group, shared, or generic IDs, passwords, or other authentication methods…

With Bomgar’s concurrent licensing model for service technicians, there is no need or incentive to ever share a Bomgar service technician credential.

Requirement 10: Track and monitor all access to network resources and cardholder data

10.1

Implement audit trails to link all access to system components to each individual user.

Bomgar provides a support session report for every Click-toChat or remote control session as well as a syslog record for administrative changes to the Bomgar system itself.

10.2

Implement automated audit trails for all system components to reconstruct the following events:

All administrative activities stipulated in item 10.2 are logged via outbound syslog records from the Bomgar appliance. The details of the messages and formats may be found in Syslog Message Guide, Remote Support 16.1:

10.2.1

All individual user accesses to cardholder data.

10.2.2

All actions taken by any individual with root or administrative privileges.

10.2.3

Access to all audit trails.

10.2.4

Invalid logical access attempts.

10.2.5

Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.

https://www.bomgar.com/docs/remote-support/how-to/ integrations/syslog/index.htm

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

10.2.6

Initialization, stopping, or pausing of the audit logs.

BOMGAR RESPONSE If an authorized administrator disables the syslog logging, a record of that action is logged prior to being disabled. Additionally, changing the destination address of the Syslog Server will send an alert email to the Admin Contact email address as set on the Email Configuration page within the Bomgar administrative interface. Alteration of the email address contact itself will log a record. The session reports are separate from the administrative syslog records. Logging of support sessions may not be stopped or paused.

10.3

Record at least the following audit trail entries for The Bomgar records capture all details specified in items 10.3.1 all system components for each event: through 10.3.5.

10.3.1

User identification.

10.3.2

Type of event.

10.3.3

Date and time.

10.3.4

Success or failure indication.

10.3.5

Origination of event.

10.3.6

Identity or name of affected data, system component, or resource.

10.4

Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

10.4.1

Critical systems have the correct and consistent time.

10.4.2

Time data is protected.

10.4.3

Time settings are received from industryaccepted time sources.

The ONLY method to establish time of day on the Bomgar appliance is via an NTP source specified through an administrative interface. This time source serves as the authority for all system event time stamps.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

10.5

Secure audit trails so they cannot be altered.

10.5.1

Limit viewing of audit trails to those with a jobrelated need.

10.5.2

Protect audit trail files from unauthorized modifications.

10.5.3

Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

10.5.4

Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.

10.5.5

Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

10.7

Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

BOMGAR RESPONSE Support session reports (i. e., remote control sessions) stored on the appliance may not be altered by anyone, even the most highly privileged administrators. Administrative actions logged via syslog are sent to the syslog server IP as specified in the Bomgar administrative interface and these logs are not retained on the appliance. Support session reports may be retained on the appliance for a maximum of 90-days. These report files may be offloaded programmatically (for example, when integrated with an ITSM application they would be copied immediately upon session end) or through the use of a Bomgar supplied utility to offload on an administrator-defined schedule. When offloaded either programmatically or via the utility the reports are not deleted from the appliance until the retention period has elapsed. Once session reports are offloaded from the Bomgar appliance it is a customer responsibility to manage these data according to the PCI DSS requirements.

Since the maximum retention for support session reports stored on the Bomgar appliance is 90-days, the session reports must be offloaded for longer-term retention. Bomgar provides a utility program to perform scheduled report transfer. The retention on the Bomgar appliance may be set at 90-days to allow easy access for authorized personnel and to permit the use of filters to quickly & easily locate specific reports of interest using a variety of filter criteria.

Requirement 11: Regularly test security systems and processes

11.2.1

Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

11.2.2

Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

Bomgar welcomes customers to perform independent vulnerability scans. Detected anomalies should be immediately reported to Bomgar Support. Occasionally, scanning products will produce a false positive usually based on the assumed availability of a service or interface that is not actually present or enabled on the Bomgar appliance (see item 2.2.2, above). Bomgar Support will be able to advise if a reported vulnerability is a false positive.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.

PCI DSS REQUIREMENTS

11.2.3

Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.

11.3

Implement a methodology for penetration testing.

11.3.1

Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

11.3.2

Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

BOMGAR RESPONSE See 11.2.1 and 11.2.2

Requirement 12: Maintain a policy that addresses information security for all personnel.

12.3.8

Automatic disconnect of sessions for remoteaccess technologies after a specific period of inactivity.

Bomgar offers an idle session timeout administrative setting that can range from 5 minutes to a maximum of 24 hours.

12.3.9

Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.

Vendor credentials may be defined in an enterprise directory (which may provide the ability to enable/disable on demand) or defined locally within Bomgar (which also provides the ability for authorized administrators to enable/disable upon demand). Additionally, Bomgar provides the ability for authorized service technicians to extend an ad hoc External Rep Invite to provide temporary supervised collaboration in a support session.

12.3.10 For personnel accessing cardholder data via

remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

All file transfer capabilities by service technicians are discrete privileges governed by Bomgar Group Policies. If file transfer is permitted, service technicians may be limited to only specific directories or folder locations for uploads and downloads. Also, the ability for a service technician to take a screen shot of the remote computing device through the Bomgar Representative Console application is determined by an administrative policy option. Similarly, clipboard synchronization is governed by an administrative option that can be restricted.

[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.