MFA Requirements for PCI Compliance
October 6th, 2021

Cyber attacks continue to access private networks and steal sensitive information from individuals and organizations using valid credentials. As a result, the Payment Card Industry (PCI) Security Standards Council (SSC) issued guidelines on how organizations should implement multi-factor authentication (MFA) technologies to curb the rise in cyber-attacks. 

Every organization is now expected to comply with these PCI SSC guidelines to prevent unauthorized access to their computers, systems, and networks, especially those that handle payment transactions.

If you’re looking for a CIAM solution that best fits your organization, contact Squareball. 

The Reason PCI Issues MFA Guidance

PCI has always required that organizations implement MFA technology for remote access to their cardholder data environment (CDE) because MFA offers a multi-layered system that any unauthorized person must be able to breach before they can gain access to a system. MFA implementation requirements aim to provide a higher security and authentication level for users trying to access resources like physical location, mobile device, network, or a database.

Compliance Considerations

According to PCI, the MFA authentication process must include two or more of the three main authentication methods specified in PCI Data Security Standard (DSS) Requirement 8.2. Authentication factors include:

  • Something you know: This method involves authenticating user-provided information such as a password, PIN, or confidential question answer.
  • Something you own: This method involves authenticating a specific item you own, such as a physical or logical security token, a one-time password (OTP), or a key, access card, or SIM card for your phone. For mobile verification, an ownership item is typically given by a smartphone together with OTP software or a device with cryptographic content.
  • Something you are: This type of authentication includes biometrics or verification of human-specific aspects such as retinal, iris, fingerprint, or finger vein scans; along with facial recognition, voice recognition, and hand geometry.

Other types of data that can be included in a MFA process are geographical location and time. In this case, though, you still have to include at least two of the above three authentication factors in a MFA implementation for it to be PCI compliant.

How Your Organization Should Use the PCI’s Guidelines

Organizations are strongly encouraged to leverage all recent MFA implementations to stay compliant. These are industry-recognized best practices designed to provide a roadmap for future data- and system-security considerations. Many organizations may also be subject to regional laws or guidelines that describe MFA requirements that are more rigorous than PCI DSS and may require that some of these principles be fully implemented.

MFA technology authentication methods should be implemented in such a way that exposure to one authentication factor does not give unauthorized access in another direction. The exploitation of any element of MFA should be separate from others so that reliability and/or privacy are not compromised.

The principles surrounding the implementation of security solutions are professional and more effective at addressing security risks. Although the PCI DSS doesn’t currently require that a MFA implementation meet all these principles, it may in the future.

For further reading, check out our other articles like Best Practices for MFA Implementation and Understanding the Different 2 Factor Authentication Types.