One of the key changes to the Payment Card Industry Data Security Standard (PCI DSS) 3.2 is an update to Requirement 8.3. This update highlights what the security industry already knows: Passwords are no longer a sufficient means of controlling access to sensitive data. In a word, compliance with PCI DSS now requires organizations to bolster its access security with multi-factor authentication.\nWhile the new requirements, released by the Payment Card Industry Security Standards Council (PCI SSC) in April 2016, are considered \u201cbest practices\u201d until Feb. 1, 2018, organizations are encouraged adopt the standard as soon as possible.\nThe first change to Requirement 8.3 is simply a change of language. Instead of \u201ctwo-factor authentication,\u201d the PCI DSS now calls for \u201cmulti-factor authentication.\u201d What\u2019s the difference? Two-factor authentication (2FA) is a subset of multi-factor authentication (MFA). In other words, \u201call two-factor authentication (2FA) is multi-factor authentication (MFA), but not all MFA is 2FA,\u201d writes Chris Webber for Centrify.\nWhile 2FA involves having two different forms of authentication \u2013 something you know (such as a PIN or password), something you have (such as a USB key or smartphone) and something you are (such as a fingerprint or retina scan) \u2013 MFA implies that you have at least two, possibly more. By changing the terminology of Requirement 8.3, two forms of authentication are now the minimum requirement.\nPCI DSS 3.2 also extends the requirement for MFA. Previously, MFA was only required for remote access to the cardholder data environment (CDE). That meant organizations could prohibit remote access to their CDE and avoid the need to implement an MFA solution.\nWith the update, however, a password alone is no longer a sufficient means of verifying the user\u2019s identity and granting access to sensitive information \u2013 whether remotely or on the LAN. And that\u2019s good, because compromised passwords are the leading cause of data breaches according to the 2016 Verizon Data Breach Investigations Report.\nUnder PCI DSS 3.2, any individuals with non-console administrative access to systems that handle credit card data must authenticate using MFA. \u201cNon-console administrative access\u201d means that the system is accessed over a network, as opposed to the system\u2019s local screen and keyboard. So, for example, if the system is accessed via a web-based management interface, remote desktop software, or terminal services, the user must be authenticated via MFA. This applies regardless of whether the individual is an employee or third-party IT support personnel.\nIt is simply a matter of time before MFA is accepted as a best practice and is routinely applied across the organization. Compliance with PCI DSS Requirement 8.3 can be addressed with an MFA solution that easily scales across every user and IT resource. An integrated identity platform that provides adaptive MFA can reduce the cost and complexity of an organization-wide deployment while balancing user convenience and security.\nTo learn more about becoming PCI DSS Compliant, download this white paper, which examines each of the requirements and identifies capabilities of the Centrify Server Suite and Centrify Privilege Service that customers can leverage to help achieve compliance.