2.3 requires non-console access to use encrypted network traffic. This seems to exclude telnet FTP, 'r*' protocols etc.

Yet, looking at the PCI glossary document, the defintion of a console is:
"Screen and keyboard which permits access and control of the server or
mainframe computer in a networked environment."

In combination, the implied goal is that only web browser access needs to be encrypted, not telnet, FTP etc.

Any clarifying viewpoints?

Cheers,
Lyal

If you look at 2.3, they broadly talk about different remote access methods; SSH, VPN, SSL/TLS. I think the primary thing to concentrate on here is the first sentence of the requirement... "Encrypt all non-console ADMINISTRATIVE access".

I agree that PCI's definition of console is a bit confusing. I have always thought of console access as meaning your are working off of a keyboard that is directly connected to the server, mainframe, etc. Some will even argue that if you are working on a keyboard but you do not authenticate directly to the server (i.e., AD, LDAP, etc.), you are technically not working from the console.

You could use this as a litmus test. Are passwords and issued commands belonging to administrative accounts traversing the network (between the user and the server) in plane text? If yes, then it should be encrypted.

Thanks - thats about what I figured.
The terminology is still interpretative, even with the help of the glossary.

Its like some QSAs saying connected entities only exist if the connection made to them, not if they connect and request a downlaod of PAN data. The connection flow is confused with the data flow.

However, PCI requirement 8.4 states "Encrypt all passwords during transmission and storage on all system components". This surely implies that you can't use telnet if you need to log in to a server, as your password will be sent in plain text.