January 10, 2018 By Omner Barajas 2 min read

Payment card industry (PCI) compliance has been a major concern for banking and e-commerce users. Providers need to satisfy several requirements to put their systems in an acceptable state to handle regulated data.

The requirements and security assessment procedures published in April 2016 within Payment Card Industry Data Security Standard (PCI DSS) version 3.2 described several best practices that will become mandatory starting Feb. 1, 2018. These controls are not intended to be deferred for the next validation or assessment, but to be implemented by that date. One of those requirements, 8.3.1, states that businesses must “incorporate multifactor authentication for all nonconsole access into the CDE for personnel with administrative access.”

What Is Multifactor Authentication?

Multifactor authentication (MFA) is a mechanism that requires users to present separate pieces of information — typically related to knowledge (something the user knows), possession (something the user has) and innate qualities (something the user is) — to gain access to privileged systems or accounts. For the PCI requirement, all administrative access to the cardholder data environment (CDE) infrastructure, application or database requires at least two different modes of authentication, which is commonly known as two-factor authentication (2FA). This elevates the difficulty for an attacker to compromise a system, thereby reducing risk.

In February 2017, the PCI Security Standards Council released an information supplement that described industry-accepted principles and best practices associated with MFA. It also offered guidance for organizations that are evaluating, implementing or upgrading MFA solutions and explained why multistep authentication methods are no longer enough to meet PCI compliance.

Multistep Versus Multifactor

The PCI requirement became simpler but more restrictive, since all factors must be verified prior to the authentication mechanism granting the requested access. Furthermore, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented. If an unauthorized user can deduce the validity of any individual factor, it doesn’t really matter if a different factor is used for each step.

Let’s say that a CDE administrator is trying to log in to a system by Secure Shell (SSH) using a username and password. Once successfully validated, the console prompts him or her for a second factor, such as a one-time password (OTP) token. This process would be considered multistep authentication.

To be considered multifactor, the administrator should be able to provide the username, password and token at the same time. If access is denied, the system should do so without disclosing which factor was entered incorrectly.

PCI Compliance Leads to Improved Data Security

There are other security controls that will become mandatory in February 2018, such as 6.4.6, which declares that all PCI DSS requirements must be implemented for all new or changed systems and networks. There’s also, which requires businesses to conduct penetration testing of segmentation controls every six months.

These new standards show that PCI DSS is going beyond the compliance-only approach, urging businesses to implement better security measures to protect their systems, data and customers.

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today