Payment card industry (PCI) compliance has been a major concern for banking and e-commerce users. Providers need to satisfy several requirements to put their systems in an acceptable state to handle regulated data.

The requirements and security assessment procedures published in April 2016 within Payment Card Industry Data Security Standard (PCI DSS) version 3.2 described several best practices that will become mandatory starting Feb. 1, 2018. These controls are not intended to be deferred for the next validation or assessment, but to be implemented by that date. One of those requirements, 8.3.1, states that businesses must “incorporate multifactor authentication for all nonconsole access into the CDE for personnel with administrative access.”

What Is Multifactor Authentication?

Multifactor authentication (MFA) is a mechanism that requires users to present separate pieces of information — typically related to knowledge (something the user knows), possession (something the user has) and innate qualities (something the user is) — to gain access to privileged systems or accounts. For the PCI requirement, all administrative access to the cardholder data environment (CDE) infrastructure, application or database requires at least two different modes of authentication, which is commonly known as two-factor authentication (2FA). This elevates the difficulty for an attacker to compromise a system, thereby reducing risk.

In February 2017, the PCI Security Standards Council released an information supplement that described industry-accepted principles and best practices associated with MFA. It also offered guidance for organizations that are evaluating, implementing or upgrading MFA solutions and explained why multistep authentication methods are no longer enough to meet PCI compliance.

Multistep Versus Multifactor

The PCI requirement became simpler but more restrictive, since all factors must be verified prior to the authentication mechanism granting the requested access. Furthermore, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented. If an unauthorized user can deduce the validity of any individual factor, it doesn’t really matter if a different factor is used for each step.

Let’s say that a CDE administrator is trying to log in to a system by Secure Shell (SSH) using a username and password. Once successfully validated, the console prompts him or her for a second factor, such as a one-time password (OTP) token. This process would be considered multistep authentication.

To be considered multifactor, the administrator should be able to provide the username, password and token at the same time. If access is denied, the system should do so without disclosing which factor was entered incorrectly.

PCI Compliance Leads to Improved Data Security

There are other security controls that will become mandatory in February 2018, such as 6.4.6, which declares that all PCI DSS requirements must be implemented for all new or changed systems and networks. There’s also, which requires businesses to conduct penetration testing of segmentation controls every six months.

These new standards show that PCI DSS is going beyond the compliance-only approach, urging businesses to implement better security measures to protect their systems, data and customers.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…