The Payment Card Industry Data Security Standard (PCI DSS) has released version 3.2.
One of the key changes is an update to requirement 8.3.
According to Crystal Bedell, Journalist with CIO.com, “This update highlights what the security industry already knows: Passwords are no longer a sufficient means of controlling access to sensitive data. In a word, compliance with PCI DSS now requires organizations to bolster its access security with multi-factor authentication.”
Although the new requirements, released April 2016, are considered “best practices” until Feb. 1, 2018, organizations are encouraged to adopt the new standard as soon as possible.
The first change to Requirement 8.3 is a simple change of language. Instead of two-factor authentication (2FA), the PCI DSS now calls for multi-factor authentication (MFA). 2FA involves having two different forms of authentication – something you know (such as a PIN or password), something you have (such as a USB key or smartphone) and/or something you are (such as a fingerprint or retina scan). MFA implies that you have at least two, possibly more.
While it is true that two-factor authentication falls under the umbrella for multi-factor authentication, the reverse is not the case. MFA implies that you have at least two forms of authentication as an online e-commerce business owner. By changing the terminology of Requirement 8.3, two forms of authentication are now the minimum requirement.
PCI DSS version 3.2 also extends the MFA requirement.
Previously, MFA was only required for remote access to the Cardholder Data Environment (CDE). That meant organizations could prohibit remote access to their CDE and avoid the need to implement an MFA solution. With the update, however, just having a password (by itself) is no longer a sufficient means of verifying the user’s identity and granting access to sensitive information. It now includes remote access and local-area networks (LAN). Since compromised passwords are the leading cause of data breaches (according to the
Since compromised passwords are the leading cause of data breaches (according to the 2016 Verizon Data Breach Investigations Report), this is a good thing. Although constantly warned against it, people continue to use the same password on multiple sites. Hackers are getting better and better at data breaches, forcing the PCI to increase its security measures for e-commerce companies. Part of the PCI requirements includes vulnerability and malware scanning, both of which are offered by Trust Guard, the leader in website security.
Any individuals with non-console administrative access to systems that handle credit card data must authenticate using MFA. This, according to the new PCI DDS version 3.2. “Non-console administrative access” means that the system is accessed over a network. This, as opposed to the system’s local screen and keyboard. For example, if the system is accessed via a web-based management interface, remote desktop software, or terminal services, the user must be authenticated via MFA. This applies regardless of whether the individual is an employee or third-party IT support personnel.
Compliance with PCI DSS Requirement 8.3 can be addressed with an MFA solution that easily scales across every user and IT resource. An integrated identity platform that provides adaptive MFA can reduce the cost and complexity of an organization-wide deployment. It can also balance user convenience and security.