The PCI DSS 3.2 framework multi-factor authentication (MFA) deadline went into effect in Jan of 2018. If you missed the deadline, it’s not too late to comply and supplement your data security.
The Payment Card Industry Security Standards Council (PCI SSC) maintains the industry standard businesses use to safeguard credit card payment data. The most recent version— 3.2—adds a multi-factor authentication (MFA) requirement. PCI guidance has long called for MFA for remote access to the cardholder data environment (CDE). Version 3.2 adds a new sub-requirement for MFA to also be applied to all non-console (that is, remote or originating from outside the network) access into the CDE for anyone with administrative access including both employees and third parties.
The PCI SSC issued supplemental guidance to answer questions and help organizations understand how to best implement the new guidelines for using MFA. Although companies are not bound to adhering to these best practices, doing so will help them meet standards that could be included in future PCI standards updates.
What is Multifactor Authentication?
MFA is designed to prevent someone from pretending to be a valid user. Single-factor authentication is the well-known user name and password combination. The password provides the first, or single, factor of authentication. Multi-factor authentication adds a second (or additional) factor or step in user access. PCI DSS Requirement 8.2 describes three authentication types. At least two of the three are required for MFA.
- (Knowledge) Something you know, such as a password or passphrase. This method also includes PIN numbers or answers to secret questions.
- (Possession) Something you have, such as a token device or smart card. These are physical items such as a one-time password generator, key fob, or smartphone.
- (Inherence) Something you are, such as a biometric. Biometrics include fingerprint scans, retina scans, facial recognition, and other characteristics unique to individuals.
MFA Best Practices:
- Independent authorization mechanisms: The factors used for authentication should be independent of each other. In other words, the same information should not grant access to both factors. For instance, if an email account uses the same login information (username and password) as one authentication factor, a one-time security code sent to the email to use as a second factor would not be independent. Or, a security certificate that resides on a computer and is protected by the credentials used to log on to the computer would not be an independent authentication factor.
- Protect authentication factors: Each authentication method should be protected from unauthorized access and use.
- Passwords should be difficult to guess or determine using “brute-force” methods. Also, they should be shielded from disclosure to unauthorized parties.
- Physical items should be protected from use by unauthorized parties and not be able to be duplicated.
- Biometrics should be something that cannot be copied. Other users should not have access to individual biometric information if they also have access to the device.
- Create MFA policies and procedures with documentation that details what’s acceptable use for the technology.
- Validate all factors first: Before granting a user access to a CDE, all authentication methods should be validated without revealing the success or failure of any individual authentication factor. This helps prevent unauthorized users from confirming that they have successfully discovered valid credentials for any step of the authentication process. Consider using penetration testing to validate the effectiveness of your strategy.
Here are some examples to illustrate how multifactor authentication is used day to day:
- Application sign-on. Companies like Aetna and Airbnb turned on MFA for precaution after The Deloitte data breach occurred in September 2017.
- Company and IT operations. Administrative access to your servers, firewalls, and routers should all use MFA.
- Remote access to sensitive data in your network. When your team needs access to information while they are out of the office, this step is used for added protection.
PCI Compliant Hosting
One way to make it easier for your team to ensure you are compliant with PCI MFA requirements, and to future-proof your systems (to meet standards that will likely be required later), is to use PCI compliant hosting. PCI compliant hosting solutions use technology and processes such as multi-factor authentication to stay up-to-date with PCI DSS requirements as they evolve. OnRamp, for instance, is certified in PCI and understands the compliance and data security requirements for organizations in financial services. Our experts would be glad to help you understand the requirements and guidelines. Give us a call or contact us today.
Additional Resources on This Topic: