PCI DSS interpretation questions

["CTSO (Michael A. Rodriguez)" <MA-Rodriguez2 () WIU EDU>]

I would appreciate interpretations on the following PCI items. 

8.3. Is two-factor authentication implemented for remote access to the network by employees, administrators, and third 
parties? Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller 
access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

On 8.3, I read it as a requirement for multi-factor authentication and not two instances of the same factor. Some folks 
around here are taking the word two-factor to refer to the latter.

1.3.9. Include installation of personal firewall software on any mobile and employee-owned computers with direct 
connectivity to the internet (for example, laptops used by employees), which are used to access the organization’s 
network? 

This one is an interpretation of scope. The part about employee-owned concerns me as it would appear to imply 
installing stuff on personally owned computers. The bigger question is can requirements like this be interpreted to 
refer only to computers, networks or devices known to hold cardholder data? The same argument can be made for other 
requirements involving end point security like 6.1 on patching and 5.1 on anti-virus. I know the security answer is 
they are all in scope but what is the compliance answer? 

Thanks,

-- 
Michael A. Rodriguez, CISSP
Chief Technology Security Officer
Western Illinois University
ma-rodriguez2 () wiu edu