Payment card industry (PCI) compliance has been a major concern for banking and e-commerce users. Providers need to satisfy several requirements to put their systems in an acceptable state to handle regulated data.

The requirements and security assessment procedures published in April 2016 within Payment Card Industry Data Security Standard (PCI DSS) version 3.2 described several best practices that will become mandatory starting Feb. 1, 2018. These controls are not intended to be deferred for the next validation or assessment, but to be implemented by that date. One of those requirements, 8.3.1, states that businesses must “incorporate multifactor authentication for all nonconsole access into the CDE for personnel with administrative access.”

What Is Multifactor Authentication?

Multifactor authentication (MFA) is a mechanism that requires users to present separate pieces of information — typically related to knowledge (something the user knows), possession (something the user has) and innate qualities (something the user is) — to gain access to privileged systems or accounts. For the PCI requirement, all administrative access to the cardholder data environment (CDE) infrastructure, application or database requires at least two different modes of authentication, which is commonly known as two-factor authentication (2FA). This elevates the difficulty for an attacker to compromise a system, thereby reducing risk.

In February 2017, the PCI Security Standards Council released an information supplement that described industry-accepted principles and best practices associated with MFA. It also offered guidance for organizations that are evaluating, implementing or upgrading MFA solutions and explained why multistep authentication methods are no longer enough to meet PCI compliance.

Multistep Versus Multifactor

The PCI requirement became simpler but more restrictive, since all factors must be verified prior to the authentication mechanism granting the requested access. Furthermore, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented. If an unauthorized user can deduce the validity of any individual factor, it doesn’t really matter if a different factor is used for each step.

Let’s say that a CDE administrator is trying to log in to a system by Secure Shell (SSH) using a username and password. Once successfully validated, the console prompts him or her for a second factor, such as a one-time password (OTP) token. This process would be considered multistep authentication.

To be considered multifactor, the administrator should be able to provide the username, password and token at the same time. If access is denied, the system should do so without disclosing which factor was entered incorrectly.

PCI Compliance Leads to Improved Data Security

There are other security controls that will become mandatory in February 2018, such as 6.4.6, which declares that all PCI DSS requirements must be implemented for all new or changed systems and networks. There’s also 11.3.4.1, which requires businesses to conduct penetration testing of segmentation controls every six months.

These new standards show that PCI DSS is going beyond the compliance-only approach, urging businesses to implement better security measures to protect their systems, data and customers.

More from Banking & Finance

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today