Learn more about the multi-factor authentication that is required of your business operations. 

By: Christopher Skarda
Security Analyst
QSA, CISSP
Multi-factor authentication (MFA) can be used to enhance the security of your data, particularly in remote access applications. But many businesses don’t know how it applies to PCI DSS compliance.

The PCI DSS standard has both old and new MFA requirements that you need to be aware of.  The PCI Security Standards Council also released a supplemental guide on multi-factor authentication, clarifying the industry-accepted principles and best practices associated with MFA. Here are a few things you should know.

What is multi-factor authentication? 

multi-factor authenticationMulti-factor authentication is an effective way to secure your CDE, and is a requirement under PCI DSS. When multi-factor authentication is properly enforced, you must provide at least two of these three categories of credentials to authenticate: 

  • Something you know (e.g., password/passphrase, PIN) 

  • Something you have (e.g., token device, one-time password) 

  • Something you are (e.g., fingerprint scan, retina scan)
This diversity of required credentials greatly reduces the risk of unauthorized access to your secure environments.

The existing requirements

Requirement 8.3.2 of the PCI DSS 3.2 states that you must “incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.”

In other words, MFA must be enforced for all remote access to your corporate networks that are part of your cardholder data environment, or have access to your cardholder data environment. This requirement is maintained from previous versions of the PCI DSS.

multi-factor authentication requirements PCI 3.2 changes

Requirement 8.3.1 is new to PCI DSS 3.2. It’s currently best-practice, but it becomes effective as a requirement after January 31, 2018.

This new requirement states: “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.” Previously, MFA was required only for remote access by employees, administrators, and third parties. This additional sub requirement states that MFA is required for all non-console administrative access to the CDE internally as well. 


SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

Supplement clarifications

The Multi-Factor Authentication Informational Supplement from the PCI Security Standards Council provides the following guidelines and industry best practices that should be followed when implementing MFA:
Authentication mechanisms should be maintained independent of one another.
This ensures that access to one factor does not grant access to another, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor. For example, if the same set of credentials (e.g., username/password) is used as an authentication factor and also for gaining access to an e-mail account where a secondary factor (e.g., one-time password) is sent, these factors are not independent. Another faulty example is if you use a software certificate that is stored on a mobile device and protected by the same username and password that is used as part of MFA.

No knowledge of the success or failure of any factor should be provided to the individual.  Instead, a collective success or failure message should be given once all factors have been submitted. In the event of failed authentication, there should be no indication of which provided credential is incorrect.

What applications should use multi-factor authentication?

Here’s a list of applications that should use multi-factor authentication:
  • Remote access technologies
  • Cloud storage used for sensitive documents
  • Email accounts
  • Cloud computing administration interfaces
  • Hosting services
  • Password management tools
  • Any account with access to sensitive information
Remember, multi-factor authentication is an additional layer of security you should apply to all of your sensitive data.

Need help with PCI compliance? Talk to us!

Christopher Skarda (CISSP, QSA, CCNA) is a Security Analyst at SecurityMetrics and has worked in data security for thirteen years and the PCI sector for three years. He has a Bachelor of Science in Information Technology from BYU.