If you’re in an industry that collects and processes payment card data and information, you’re no stranger to PCI DSS compliance, the standards in place to protect cardholder information. It makes sense, therefore, that if technology is always changing, so too must the rules and regulations surrounding PCI compliant hosting.
Most recently, the PCI Security Standards Council delivered its 3.2 data security standard version, which went into effect on April 28, 2016. In doing so, the council stirred up a lot of interest in one new regulation: Requirement 8.3. This addition addresses “multi-factor authentication.”
According to PCI Chief Technology Officer Troy Leach, one of the biggest changes in the PCI DSS 3.2 are the new multi-factor authentication regulations. There is now an additional requirement that mandates organizations must “incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.”
The requirement aims to ensure that online vendors are implementing proper controls and security measures to protect customer data, including monitoring and tracking activities by authorized users within the network. Unfortunately, many merchants still have questions surrounding what two-factor authentication entails, when to implement it and what impact it will have on their business.
What is Two-Factor Authentication?
In single-factor authentication, which is the standard entry of a username and password, the single factor is the password. Two-factor authentication provides an additional level of security to cardholder data environment (CDE) access, which is one of three unique types of credentials:
- Something you know, such as a password, PIN number, or pattern
- Something you have, such as a credit card or phone
- Something you are, such as fingerprint or optic biometrics
Every time you’ve had to provide your zip code (something you know) with your credit card (something you have) to make a purchase, you’ve experienced two-factor authentication.
When Do You Have to Use Two-Factor Authentication?
Requirement 8.3 applies specifically to remote access to the CDE. The only exception is point-to-point Virtual Private Networks (VPN) because they behave like local networks. On the other hand, RA or client VPN technologies would require two-factor authentication. Organizations may opt to require two-factor authentication across the board, including across local networks, even though it’s not required. Two-factor authentication can help improve the security of your CDE above and beyond Requirement 8.3.
A Couple Things to Remember…
Some organizations make the mistake of thinking that two-factor authentication means you must have two authentication requests using one authentication identifier for each; however, two single-factor authentication steps are not the same as two-factor authentication. Not only is this misconception ineffective, but it also undermines the PCI DSS purpose of multi-factor authentication. The goal of two-factor authentication mirrors the purpose of PCI compliance, which is to create a more secure CDE that protects your customers.
When it comes to selecting a PCI compliant hosting provider, make sure that they offer two-factor authentication and facilitate your business needs. Hosting providers with experience and successful track records will be able to offer peace of mind through security and compliance, allowing your organization to focus on managing the business you know.
Additional Resources on this Topic: