What You Need to Know About Two-Factor Authentication

When it comes to the handling of payment card data, security and PCI DSS compliance are paramount. Whether you are an industry entity that directly handles cardholder data or you are a third party maintaining an IT environment, you are being trusted with customers’ personal financial data. Protecting that data is key to maintaining not only the trust of customers and clients, but the business of payment card brands and the reputation of your company. These factors all necessitate the need for compliance with the PCI DSS in order to protect a cardholder data environment. Part of that protection and compliance with the PCI DSS calls for the use of two-factor authentication when providing remote access to IT environments that store such sensitive information.

Two-Factor Authentication in the PCI DSS: Three Choices, Two Methods

The necessity for two-factor authentication is identified in requirements 8.2 and 8.3 of the PCI DSS.

Two-factor authentication goes beyond the assignment of a unique ID to non-consumers and administrators. In addition to that ID, PCI entities must employ a system of management in which users employ two additional methods of security confirmation. When implementing two-factor authentication, an entity must choose two of three options:

  1. Something you know, such as a password or passphrase
  2. Something you have, such as a token device or smart card
  3. Something you are, such as a biometric

Employing methods of two-factor authentication is necessary when accounting for remote network access originating from outside the network by personnel, as well as all third parties.

What is NOT Considered Two-Factor Authentication?

Keep in mind that the use of two factors twice is an insufficient security method, and does not meet the requirement. For example, using two separate passwords would not qualify for compliance.

Why is Two-Factor Authentication Important?

The practice of choosing two unique authentication factors serves a twofold purpose: first, it helps entities achieve compliance. Without employing two of these three methods, entities may face serious consequences including fines and penalties. Second, and perhaps more importantly, it serves as another barrier from malicious attacks on the CDE.

How to Achieve Two-Factor Authentication

The official PCI SSC glossary defines a token as a value that works with an authentication server or virtual private network. Two-factor authentication is achieved through the use of either a hardware token or software token. For example, OnRamp leverages RSA SecurID Software Token Technology for Two-Factor Authentication, an industry leader in the protection of CHD.

What to Look for in a Data Center for Two-Factor Authentication

Partnering with a PCI compliant hosting provider that can offer a custom compliance solution is a critical step in adhering to PCI regulations. An ideal data center will have the ability to offer two-factor authentication as a managed security service, as well as experience with facilitating businesses for achieving PCI compliance. This kind of solution provides the benefit of economies of scale, as well as allowing for a higher level of internal efficiency. Without the need to maintain the expenses and management of compliant hosting, you are free to focus on managing your business rather than pouring resources into the minutiae of securing CHD.