Multi-Factor Authentication for PCI DSS Compliance

One of the most commonly asked questions and discussions I am having with Clients at the moment is the PCI Standard change which will soon mandate the use of Multi-factor authentication. Many are concerned on what impact this is going to have on organisations that are storing (or to some extent consuming) payment card data and information, when whether their current systems are even capable of meeting this new requirement.

For an Organisation storing payment card data in their Cardholder Data Environment (CDE), to be PCI compliant no longer means simply using a username and password when accessing the CDE, and now even having an older style token or using SMS message may not be sufficient.

In 2016, updates were made to Clause ‘Requirements 8.3’ of the PCI Standard. This update brought MFA into the lime-light. It also teased out a strict definition of Multifactor Authentication verses Two Step Authentication

From April 2016, suddenly it was important to know the distinction between the two technologies. MFA is ‘in’ Two Step is ‘out’.

What separates multi-factor authentication from two step is you must provide multiple credentials in different categories or ‘factors’. The three categories/factors include;

1. Something they have (eg. Token OTP)

2. Something you know (eg. PIN no.)

3. Something you are (eg. finger print).

In the case of Mi-Token, a users must use a soft or hard token along with a PIN number or code or “another factor” to access the CDE. Since the code is not stored on the device, it is considered multi-factor authentication.

With two step, the code or Token is stored on (sent to) the device and could be compromised. MFA makes it exponentially more difficult for a hacker to access credentials from multiple locations.

The PCI DSS standards have for some time been considered to be “best practices, and when the updated PCI Standard becomes effective (in 2018) any organisation holding card data must be using a MFA solution. This requirement is even more pertinent as the standard now extends to both remote and internal (network) access and remote desktop software or terminal services. It also mean anyone who is given access to this environment must use an MFA technology when logging in.

While I am speaking from the perspective of an MFA vendor, the reasoning behind this decision is very sound. The more security we apply to the storage of personal information, the better. We have recently seen an escalation in card fraud, with stolen card data accounting for almost 80% of all fraudulent card transactions.

Mi-Token can provide an extremely simple but secure MFA solutions that can reduce the cost and complexity of PCI Compliance for any sized organisation.

It is also important to add that MFA is also important for secure and simple for access to any website or network, not just our CDE.

To find out more about our multi-factor authentication system visit: https://www.mi-token.com