About Two Factor Authentication
What You Need to Know About Two-Factor Authentication
When it comes to the handling of payment card data, security and PCI DSS compliance are paramount. Whether you are an industry entity that directly handles cardholder data or you are a third party maintaining an IT environment, you are being trusted with customers’ personal financial data.. Part of that protection and compliance with the PCI DSS calls for the use of two-factor authentication when providing remote access to IT environments that store such sensitive information.
TWO-FACTOR AUTHENTICATION IN THE PCI DSS: THREE CHOICES, TWO METHODS
The necessity for two-factor authentication is identified in requirements 8.2 and 8.3 of the PCI DSS.
This enhanced authentication method goes beyond the assignment of a unique ID to non-consumers and administrators. In addition to that ID, PCI entities must employ a system of management in which users employ two additional methods of security confirmation. When implementing two-factor authentication, an entity must choose two of three options:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric
Employing this extra level of authentication is necessary when accounting for remote network access originating from outside the network by personnel, as well as all third parties.
WHAT IS NOT CONSIDERED TWO-FACTOR AUTHENTICATION?
Keep in mind that the use of two factors twice is an insufficient security method, and does not meet the requirement. For example, using two separate passwords would not qualify for compliance.
WHY IS IT IMPORTANT?
Two unique authentication factors serve a twofold purpose: first, it helps entities achieve compliance. Without employing two of these three methods, entities may face serious consequences including fines and penalties. Second, and perhaps more importantly, it serves as another barrier from malicious attacks on the CDE.
HOW TO ACHIEVE TWO-FACTOR AUTHENTICATION
The official PCI SSC glossary defines a token as a value that works with an authentication server or virtual private network. Two-factor authentication is achieved through the use of either a hardware token or software token. For example, OnRamp leverages RSA SecurID Software Token Technology for Two-Factor Authentication, an industry leader in the protection of CHD.
WHAT TO LOOK FOR IN A DATA CENTER FOR TWO-FACTOR AUTHENTICATION
Partnering with a PCI compliant hosting provider that can offer a custom compliance solution is a critical step in adhering to PCI regulations. An ideal data center will have the ability to offer two-factor authentication as a managed security service, as well as experience achieving PCI compliance. You get economies of scale as well as a higher level of internal efficiency. Without the need to maintain the expenses and management of PCI compliant hosting, you are free to focus on managing your business.