05/23/2024 | Press release | Distributed by Public on 05/23/2024 20:57
Since 2004, the Payment Card Industry's Data Security Standard (PCI DSS) has been the leading standard for protecting payment card data, with the ultimate goal of preventing fraud using stolen cardholder data. The PCI DSS requires organizations that store or process cardholder data to implement a wide array of security measures in the areas of security policies, network security, vulnerability management, and user authentication, among others.
Recently the Payment Card Industry's Security Standards Council (PCI SSC) published version 4.0 of PCI DSS, with enhanced multi-factor authentication (MFA) requirements, which companies need to adhere to by March 31, 2025.
In this blog post, we will explore the MFA requirements in PCI DSS v4.0, including the changes from previous iterations, their significance, and practical tips for organizations to comply with these requirements.
1. Background on PCI DSS
In 2006, security representatives from five major payment brands (American Express, Discover, JCB International, Mastercard, and Visa) came together to create the "Payment Card Industry Security Standards Council" (PCI SSC). This governing entity is responsible for providing practical resources, managing and establishing standards that protect payment card data, and ensuring the safety of the entire payment ecosystem worldwide.
The Council designed a global data security industry standard called the Payment Card Industry Data Security Standard (PCI DSS) to ensure companies that accept, process, store or transmit credit card information maintain a secure environment and security controls around cardholder data to reduce payment card fraud.
One of the key changes in PCI DSS v4.0 focuses on the implementation of MFA to access Cardholder Data Environment (CDE). This is defined as the people, processes, and technology that store, process, or transmit cardholder or sensitive authentication data, and any system that has unrestricted access to system components that store, process, or transmit cardholder /sensitive authentication data. This could have a major impact on industry stakeholders.
2. Definition of multi-factor authentication in PCI DSS
According to PCI SSC, an individual attempting to access a resource must demonstrate their identity through a minimum of two separate forms of authentication before access can be granted. The two forms of authentication must be chosen from the three authentication factors below:
Furthermore, the PCI SSC guidelines contain the following key considerations about MFA:
3. MFA requirements in PCI DSS v3.2.1
Earlier versions of PCI DSS already contained requirements related to MFA. More specifically, in PCI DSS v3.2.1, requirement 8.3 stipulates that MFA needs to be applied in the following cases:
As such, with regard to access to the CDE, PCI DSS v3.2.1 only requires MFA for administrative access, and not for non-administrative access.
4. Enhanced MFA requirements in PCI DSS 4.0
PCI DSS v4.0 includes new evolving requirements on MFA. In particular, it requires MFA for all accounts accessing cardholder data, not just administrators. It also focuses on the secure implementation and configuration of MFA.
Let's take a look in more detail at the new requirements related to MFA:
Requirement 8.4.2 mandates MFA be implemented for all access into the CDE, not just administrative access. This requirement applies to all types of system components, such as cloud environments, hosted systems, and workstations, servers, and endpoints. The standards acknowledge that it will be challenging and time-consuming for organizations to implement, hence it will be considered a best practice until 31 March 2025.
The new standard stipulates that MFA is required for both access to the CDE and remote access to the company's network. Therefore, implementing MFA for one type of access does not eliminate the need to apply another instance of MFA for the other. If an individual initially connects to the entity's network via remote access, and then later establishes a connection into the CDE from within the network, the individual needs to authenticate using MFA twice - first when connecting via remote access to the company's network and again when connecting via non-console administrative access from the entity's network into the CDE.
5. How to comply with the MFA requirements in PCI DSS v4.0
Here are some practical tips that can help organizations to comply with the new MFA requirements:
Consider phishing-resistant and passwordless MFA. The PCI SSC's definition of MFA remains relatively classic. It does not refer (yet) to more advanced properties of MFA mechanisms, such as phishing resistance or passwordless authentication. Nevertheless, MFA mechanisms with these properties offer higher security and better user convenience and should therefore be considered by companies updating their MFA mechanisms.
Phishing resistance ensures the authentication code generated by the MFA mechanism can only be used with the intended application and can therefore not be stolen via a phishing website. Passwordless authentication avoids the use of knowledge-based authentication factors that are validated server-side (e.g. passwords), which are subject to phishing and may be hard to manage.
6. Conclusion
Compliance with PCI DSS is vital for organizations that handle payment card transactions. With the release of PCI DSS 4.0, there are significant updates, especially relating to MFA. PCI SSC has broadened the scope of MFA requirements for all accounts accessing cardholder data and is mandating its implementation. Although these new MFA requirements remain best practice until 31 March 2025, the clock is ticking.
Protect your workforce and safeguard data and applications from attacks with our latest FIDO authenticator with fingerprint scan.
Learn more