Multistep Authentication Is No Longer Enough for PCI Compliance
Payment card industry (PCI) compliance has been a major concern for banking and e-commerce users. Providers need to satisfy several requirements to put their systems in an acceptable state to handle regulated data.
The requirements and security assessment procedures published in April 2016 within Payment Card Industry Data Security Standard (PCI DSS) version 3.2 described several best practices that will become mandatory starting Feb. 1, 2018. These controls are not intended to be deferred for the next validation or assessment, but to be implemented by that date. One of those requirements, 8.3.1, states that businesses must “incorporate multifactor authentication for all nonconsole access into the CDE for personnel with administrative access.”
What Is Multifactor Authentication?
Multifactor authentication (MFA) is a mechanism that requires users to present separate pieces of information — typically related to knowledge (something the user knows), possession (something the user has) and innate qualities (something the user is) — to gain access to privileged systems or accounts. For the PCI requirement, all administrative access to the cardholder data environment (CDE) infrastructure, application or database requires at least two different modes of authentication, which is commonly known as two-factor authentication (2FA). This elevates the difficulty for an attacker to compromise a system, thereby reducing risk.
In February 2017, the PCI Security Standards Council released an information supplement that described industry-accepted principles and best practices associated with MFA. It also offered guidance for organizations that are evaluating, implementing or upgrading MFA solutions and explained why multistep authentication methods are no longer enough to meet PCI compliance.
Multistep Versus Multifactor
The PCI requirement became simpler but more restrictive, since all factors must be verified prior to the authentication mechanism granting the requested access. Furthermore, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented. If an unauthorized user can deduce the validity of any individual factor, it doesn’t really matter if a different factor is used for each step.
Let’s say that a CDE administrator is trying to log in to a system by Secure Shell (SSH) using a username and password. Once successfully validated, the console prompts him or her for a second factor, such as a one-time password (OTP) token. This process would be considered multistep authentication.
To be considered multifactor, the administrator should be able to provide the username, password and token at the same time. If access is denied, the system should do so without disclosing which factor was entered incorrectly.
PCI Compliance Leads to Improved Data Security
There are other security controls that will become mandatory in February 2018, such as 6.4.6, which declares that all PCI DSS requirements must be implemented for all new or changed systems and networks. There’s also 220.127.116.11, which requires businesses to conduct penetration testing of segmentation controls every six months.
These new standards show that PCI DSS is going beyond the compliance-only approach, urging businesses to implement better security measures to protect their systems, data and customers.