The Payment Card Industry Data Security Standard version 3.2 was published in April 2016 and went into effect Feb. 1, 2018.
Driven by large-scale breaches such as last year’s Equifax breach and escalating payment card transaction fraud globally, PCI DSS’s aim is to protect cardholder data and to simplify the implementation of data security measures on a global scale.
While many organizations made sure they were fully compliant before Feb. 1, based on related inquiries into my company, it is apparent not every organization took heed.
There are numerous changes in version 3.2. The most notable change causing angina for CISOs and compliance officers is “Requirement 8: Identify and authenticate access to system components."
Included in Requirement 8 is multifactor authentication or MFA. Requirement 8.3 affects all stakeholders involved in card payment processes, including merchants such as brick-and- mortar stores and online merchants, buyers, issuers, service providers and anyone who files, processes or transmit payment cardholders or sensitive authentication data.
Key components of Requirement 8 include:
8.3. Secure all individual non-console administrative access and all remote access to the CDE (cardholder data environment) using multifactor authentication.
8.3.1 Incorporate multifactor authentication for all non-console access into the CDE for personnel with administrative access.
8.3.2 Incorporate multifactor authentication for all remote network access (both user and administrator, including third-party access for support or maintenance) originating from outside the entity’s network.
The MFA requirement applies to all users that access the network from a remote location such as vendors and administrators. MFA is only required only when remote users can access cardholder data. Otherwise, when the network is segmented such that remote users cannot access the cardholder data, MFA is not required.
PCI DSS defines non-console access as “logical administrative access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console administrative access includes access from within local/internal networks as well as access from external, or remote, networks.”
Although the regulation requires MFA, it is not so restrictive as to mandate a specific NIST Authenticator Assurance Level as defined in NIST’s Digital Identity Guidelines. Organizations, in fact, may select from a variety of authentication solutions.
MFA technology has come a long way since the days of PKI smart cards. Organizations can comply with the PCI DSS while still deploying user-friendly, secure solutions.
One could argue that security vendors have achieved, or are very close to achieving, a balance between security and usability. For example, adoption of the FIDO Alliance standards is becoming more mainstream and biometric-enabled mobile devices have opened the floodgates to innovation.
Mobile devices are increasingly equipped with a high-quality camera capable of capturing images and video of the user’s face, and microphones to leverage voice recognition technology. Fingerprints, voice and facial recognition are also being used across many industries. As a result, compliance may be just a matter of deploying technology already in use by customers, for internal controls.
If your organization procrastinated and is not compliant with PCI DSS 3.2 today, don’t fret, as there are many MFA solutions available today.