Cyber attacks continue to access private networks and steal sensitive information from individuals and organizations using valid credentials. As a result, the Payment Card Industry (PCI) Security Standards Council (SSC) issued guidelines on how organizations should implement multi-factor authentication (MFA) technologies to curb the rise in cyber-attacks.
Every organization is now expected to comply with these PCI SSC guidelines to prevent unauthorized access to their computers, systems, and networks, especially those that handle payment transactions.
If you’re looking for a CIAM solution that best fits your organization, contact Squareball.
PCI has always required that organizations implement MFA technology for remote access to their cardholder data environment (CDE) because MFA offers a multi-layered system that any unauthorized person must be able to breach before they can gain access to a system. MFA implementation requirements aim to provide a higher security and authentication level for users trying to access resources like physical location, mobile device, network, or a database.
According to PCI, the MFA authentication process must include two or more of the three main authentication methods specified in PCI Data Security Standard (DSS) Requirement 8.2. Authentication factors include:
Other types of data that can be included in a MFA process are geographical location and time. In this case, though, you still have to include at least two of the above three authentication factors in a MFA implementation for it to be PCI compliant.
Organizations are strongly encouraged to leverage all recent MFA implementations to stay compliant. These are industry-recognized best practices designed to provide a roadmap for future data- and system-security considerations. Many organizations may also be subject to regional laws or guidelines that describe MFA requirements that are more rigorous than PCI DSS and may require that some of these principles be fully implemented.
MFA technology authentication methods should be implemented in such a way that exposure to one authentication factor does not give unauthorized access in another direction. The exploitation of any element of MFA should be separate from others so that reliability and/or privacy are not compromised.
The principles surrounding the implementation of security solutions are professional and more effective at addressing security risks. Although the PCI DSS doesn’t currently require that a MFA implementation meet all these principles, it may in the future.