One of the key changes to the Payment Card Industry Data Security Standard (PCI DSS) 3.2 is an update to Requirement 8.3. This update highlights what the security industry already knows: Passwords are no longer a sufficient means of controlling access to sensitive data. In a word, compliance with PCI DSS now requires organizations to bolster its access security with multi-factor authentication.
While the new requirements, released by the Payment Card Industry Security Standards Council (PCI SSC) in April 2016, are considered “best practices” until Feb. 1, 2018, organizations are encouraged adopt the standard as soon as possible.
The first change to Requirement 8.3 is simply a change of language. Instead of “two-factor authentication,” the PCI DSS now calls for “multi-factor authentication.” What’s the difference? Two-factor authentication (2FA) is a subset of multi-factor authentication (MFA). In other words, “all two-factor authentication (2FA) is multi-factor authentication (MFA), but not all MFA is 2FA,” writes Chris Webber for Centrify.
While 2FA involves having two different forms of authentication – something you know (such as a PIN or password), something you have (such as a USB key or smartphone) and something you are (such as a fingerprint or retina scan) – MFA implies that you have at least two, possibly more. By changing the terminology of Requirement 8.3, two forms of authentication are now the minimum requirement.
PCI DSS 3.2 also extends the requirement for MFA. Previously, MFA was only required for remote access to the cardholder data environment (CDE). That meant organizations could prohibit remote access to their CDE and avoid the need to implement an MFA solution.
With the update, however, a password alone is no longer a sufficient means of verifying the user’s identity and granting access to sensitive information – whether remotely or on the LAN. And that’s good, because compromised passwords are the leading cause of data breaches according to the 2016 Verizon Data Breach Investigations Report.
Under PCI DSS 3.2, any individuals with non-console administrative access to systems that handle credit card data must authenticate using MFA. “Non-console administrative access” means that the system is accessed over a network, as opposed to the system’s local screen and keyboard. So, for example, if the system is accessed via a web-based management interface, remote desktop software, or terminal services, the user must be authenticated via MFA. This applies regardless of whether the individual is an employee or third-party IT support personnel.
It is simply a matter of time before MFA is accepted as a best practice and is routinely applied across the organization. Compliance with PCI DSS Requirement 8.3 can be addressed with an MFA solution that easily scales across every user and IT resource. An integrated identity platform that provides adaptive MFA can reduce the cost and complexity of an organization-wide deployment while balancing user convenience and security.