Before PCI DSS 3.1 expired in October last year, multi-factor authentication (MFA) was only required for remote access to any cardholder data environment (CDE). With the introduction of the new PCI DSS 3.2 however, multi-factor authentication is now required for any personnel with non-console administrative access, as part of Requirement 8.

With these measures becoming such an important part of CDE security, here’s everything you need to know about multi-factor authentication.

So, What is MFA?

Multi-factor authentication is simply a security system that requires more than one type of identification or authentication before allowing user access. The term can refer to two-factor authentication or higher. The forms of authentication required usually encompass knowledge, possession and inherence, i.e. something the user knows, something they possess and something they are.

Examples of these include:

Knowledge – a password, login number, username or PIN.

Possession – a physical object, such as a key, swipe card or token.

Inherence – biometric identifications, such as fingerprints, iris scans or voice recognition.

Why is MFA Useful?

The idea behind multi-factor authentication is pretty uncomplicated; it simply makes accessing sensitive data more difficult, providing potential hackers with more barriers than just a simple password. By requiring several, separate identification factors, the system is less easily compromised, making cardholder data environments safer from unauthorised access.

When Do I Need to Use MFA?

According to the new PCI DSS 3.2 requirements, all organisations will need to implement multi-factor authentication systems for any non-console administrative access. This means any access to your system over a network, even if this is a non-remote on-site network that is already considered ‘safe’.

While PCI DSS 3.2 is effective now, businesses will have until February 2018 to implement any new MFA systems.

What are Some Key MFA Best Practices?

Guidance recently released by the PCI Security Standards Council states a few simple ideas for MFA best practice. Here are some to keep in mind:

Independence of Authentication Mechanisms – organisations need to make sure that the mechanisms used to authenticate different factors are independent from one another and cannot compromise one another.

Protection of Authentication Factors – to meet validation requirements for PCI DSS 3.2 Requirement 8, each factor of authentication needs to be protected. This simply means passwords should be secure and difficult to guess, while hardware or biometric data should be kept private and safe from unauthorised replication. Factors should also not be verified on a step-by-step basis as this could allow unauthorised users to determine the validity of individual factors over time.

Laws and Regulations – it’s important to keep your local laws and regulations in mind as well as the requirements made by PCI DSS 3.2. For example, both the European Union Directive on Payment Services and the Federal Financial Institutions Examination Council have additional requirements when it comes to consumer payments authentication or high-risk transactions.

Want to Know More?

If you have any questions about multi-factor authentication or the new MFA best practice guidance issued by the PCI SSC, get in touch with our secure payment specialists today. We’re here to help with all your PCI compliance queries, ensuring your contact centre remains as safe and protected as possible.

This guide is the sixth chapter of our eBook ‘Starting Your PCI Compliance Journey‘.