2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

Learn what changes have happened to multi-factor authentication.  

By: Mark Miner Security Analyst CISSP, QSA

The PCI DSS 3.2 has recently made some changes to multi-factor authentication. But what changes have been made, and how do they involve your business?

SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

Here’s a quick explanation of the changes that have been made to PCI DSS 3.2’s requirements for multi-factor authentication.

1st change: multi-factor authentication title

The first change is simply a label change for clarification. Instead of calling it “two-factor authentication,” the PCI DSS wishes it to be called “multi-factor authentication.” This is to help clarify that businesses are required to have at least two factors of authentication, but aren’t just limited to two.

SEE ALSO: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know

2nd change: clarifying the CDE and what requires multi-factor authentication

The other requirement change deals with what qualifies as the Card Data Environment (CDE) and when multi-factor authentication is required. This new change also clarifies to businesses when it should be used.

The PCI DSS requires that all remote access into the CDE requires multi-factor authentication. The problem we’ve run into is the clarification of what is part of the CDE and what isn’t.

Many businesses will have some support servers that aren’t considered part of their card environment. The new requirements clarify that while these servers may not be part of the CDE, they are in scope for PCI because they affect the security of the CDE. As a result, these systems should require multi-factor authentication.

Also, if you are accessing the CDE from the corporate network through remote desktop protocol, you will need to use multi-factor authentication. In the past, many companies didn’t define that as remote access because it originated within the corporate network. The PCI DSS has now removed this grey area by requiring that all non-console access requires multi-factor authentication. This means anytime you’re accessing your CDE from anywhere besides your console, you need to use multi-factor authentication.

SEE ALSO: Integrate 2fa Tech To Correctly Comply with PCI Req. 8.3

How do these changes involve jump boxes?

A jump box is a server that’s a buffer between you and the network. Instead of logging directly into the CDE, you would first be directed to the jump box, then to the CDE. Businesses often used jump boxes to get into their CDE without having to use multi-factor authentication.

Previously, some businesses used a jump box outside the CDE (on the corporate network) to connect to the CDE. Because the jump box was on the corporate network it wasn’t considered to be “remote access” and did not use multi-factor authentication. PCI DSS 3.2 now clarifies that all non-console access requires multi-factor authentication.

Even if you use a jump box, you still need to use multi-factor authentication

Tweet

When should these changes be implemented? 

Keep in mind, these new requirements for multi-factor authentication are considered by the PCI DSS to be best practice until Jan 31, 2018. Organizations need to remember while that’s the deadline, they need to work on and implement the solution before then.

The sooner you start making these changes, the easier it will be for you to make the deadline on time.

Need help getting PCI compliant? Talk to us! 

Mark Miner is a Principal Security Analyst and Assessor at SecurityMetrics. He has over 21 years of experience in network security. Mark has current CISSP, QSA (P2PE), PA-QSA (P2PE) certifications, and his expertise has been focused on Payment Card Industry (PCI) security for the past 8.5 years.