We have a need for the help desk to have access to a web server (that processes customer cardholder data) to assist customers with issues. The web server is owned and maintained by a third party and our help desk is going to take calls to help with the call volume. This help desk is going to be accessing the server across the Internet and the third party is claiming that this access is outside 8.3 since it will be only be a web interface to the server and not network level access. This doesn't sound correct, but they are saying they have run it past their QSA and they are ok with it.

I believe the intent of 8.3 is related to "remote network access" - which I would define as a person (employees, administrators, and third
parties.) connecting "into" your network from remote network - think modem dial-in, PC-Anywhere, VPN, VNC, rdesktop, ssh, etc and other remote access software etc, not your organization using an application from a third party; otherwise we would see 2FA required for all payment gateways and web-based applications.

Requirement 8.3 states, "Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates." The key is "network-level access."

That said, we need to know a bit more about what you propose as the purpose of this requirement is to ensure that persons with remote access cannot gain ready access to bulk cardholder data (CHD). As long as you can show that the help desk personnel cannot gain access to bulk CHD, then IMHO you would be in compliance.

However, can the help desk personnel potentially see customers enter their credit card information when they are providing assistance? If so, you will need to ensure that your help desk personnel are aware of this fact and that they understand that they are required to comply with the PCI DSS. They should sign off on a policy that reminds them of these facts.

The helpdesk folks would not be able to see any cardholder data. Just orders that were placed and no payment info. My concern is that they are connecting to the webserver where customers actually place orders and submit their CC's for payment. The helpdesk would have some limited, yet escalated privileges in the sense that they can see any customers info (excluding cardholder data) and reset passwords. I guess my question is what is considered network level access? Even though the connection is application layer SSL, it is still a remote connection by non-consumers to a system that processes cardholder data, shouldn't that connection require more security around it? Maybe I am reading to much in to it.

Network access is as DBergert describes, access to the network and, by default, all of the devices and their services on that network. As long as you can prove that these people do not ahve access to cardholder data (CHD), then you should be able to avoid the two factor authentication requirement.

However, I would still recommend that you periodically remind your help desk personnel that they will come into contact with personal information of customers and that this information is never to be recorded or disseminated to anyone else. even though this information is not CHD, it's still confidential and needs to be treated accordingly.

Thanks for the input fellas I really appreciate it.