Last updated on March 26, 2024
The Payment Card Industry Security Standards Council (PCI SSC) has recently issued version 4.0 of the PCI Data Security Standard. The PCI DSS v4.0 mandates industry-recognized regulations and best practices for the payment industry’s security to appropriately safeguard access to computers and systems that process payment transactions.
With the unrelenting barrage of cyberattacks, data theft, and ransomware, preventing unauthorized access is a significant challenge for every organization. Learn about the new PCI compliance requirement on MFA. Here’s how to enable Multi-Factor Authentication (MFA) to satisfy PCI DSS.
Is PCI DSS v3.2.1 Still Operational?
PCI DSS v3.2.1 is still operational until March 31, 2024. This two-year transition period gives organizations time to adapt to the new requirements and implement changes to comply with the updated regulations in PCI DSS v4.0. While the time window feels wide, we recommend you start to transition your organization as soon as possible to effectively deploy or adapt your MFA solution.
What Is the New MFA PCI Compliance Requirement?
The PCI Data Security Standard (PCI DSS) has always required Multi-Factor Authentication for remote access to the cardholder data environment (CDE). PCI DSS v3.2 added a requirement to enable MFA on all non-console access into the CDE for personnel with administrative access. With PCI DSS v4.0, organizations must implement Multi-Factor Authentication (MFA) for all access to CDE. This means that all users need to undergo MFA authentication when accessing CDE. Also, organizations must ensure that access to the CDE is not possible through the use of Single-Factor Authentication (SFA).
This new MFA PCI compliance requirement will be a best practice until March 31, 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
What is MFA?
Multi-Factor Authentication (MFA) aims to increase the level of assurance of the identity of a person accessing a resource. To do that, MFA uses a multi-layered approach to authentication that requires an individual to demonstrate at least two of three authentication factors to gain access to a resource. As per PCI DSS Requirement 8.3.1, the three authentication factors are:
- Something you know, such as a password
- Something you have, like a security key
- Something you are, such as a fingerprint
Why Do I Need MFA For All Users?
Enable MFA to increase security posture and mitigate security risks. Deploying MFA for all your users gives you the following instant benefits:
- Considerably bolsters the organization’s cyber defenses.
- Prepares the organization for new PCI requirements in the future.
- Helps the organization comply with other more stringent requirements, e.g., the European Union Directive on Payment Services (PSD2) and the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook.
Here’s more about why you need to enable MFA for all your users.
How to Satisfy MFA PCI Compliance Requirements?
We collected the most important requirements and best practices from PCI DSS v4.0 and PCI SSC’s Multi-Factor Authentication Guidance.
The following is our selection of the essential PCI DSS requirements and best practices regarding Multi-Factor Authentication. If you wish to familiarize yourself with all PCI compliance requirements, look at the entirety of PCI DSS v4.0 (and Requirement 8 in particular).
Note that not all of the following best practices are current MFA PCI compliance requirements. However, some of them will, and others may become requirements in the future. So, we recommend you ensure your Multi-Factor Authentication satisfies all the following.
MFA PCI Compliance Requirements
- Every user must have a unique ID so that all actions can be attributed to a specific user.
- MFA is implemented for all access to the CDE so that no individual can gain access using only a single authentication factor.
- MFA is enabled for all remote network access from outside the entity’s network that could access or impact the CDE. Remote network access applications include virtual private network (VPN), remote desktop (RDP), virtual desktop infrastructure (VDI), and Secure Shell (SSH).
- If users must first connect to the network via remote access and, once inside the network, connect to the CDE, then they have to authenticate using MFA twice, first while accessing the network and the second time while accessing the CDE.
- MFA must use at least two of the following three authentication factors: something you know, something you have, and something you are.
- The user can gain access only after the success of all authentication factors.
- MFA cannot use the same factor twice; e.g., two passwords do not count as MFA.
- Additional criteria such as geolocation and time data do not count as factors.
- MFA mechanisms must be independent, so that compromise of one factor must not affect the integrity and confidentiality of other factors.
- MFA must not be susceptible to replay attacks.
- Out-of-Band Authentication (OOBA) is recommended.
- SMS Authentication is permitted but discouraged.
Looking for MFA? Try Rublon.
Rublon is a modern Multi-Factor Authentication (MFA) solution. It supports Adaptive Authentication (Access Policies), Single Sign-On (SSO), and Out-of-Band Authentication (OOBA). Our solution supports multiple authentication methods, including but not limited to Mobile Push, Mobile Passcode (TOTP), and WebAuthn/U2F Security Key.
Try Rublon for free by starting a Free 30-Day Rublon Trial.