Multi-factor authentication requires the use of at least two of the three authentication factors as described in PCI DSS Requirement 8.2: 1) Something you know, such as a password, PIN or the answer to secret questions, 2) Something you have, such as a token device or smartcard and 3) Something you are, such as a biometric
The sector is already fully aware of this definition, but they still struggle with how to implement these different authentication factors.
On February 1, 2018, Requirement 8.3 of the Payment Card Industry Data Security Standard (PCI DSS 3.2) goes into effect, making multi-factor authentication mandatory for non-console access to computers and systems handling cardholder data, and remote access to the cardholder data environment (CDE). Earlier this year, the PCI Security Standards Council also issued guidance for multi-factor authentication implementations.
PCI DSS 3.2
The PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers. It also applies to all other entities that store, process or transmit cardholder data or sensitive authentication data.
Since the release of the PCI DSS, two major releases have been made, version 2.0 in November 2010 and 3.0 in October 2013. The most recent sub-release, version 3.2, was published in April 2016 and introduces a few new requirements that are considered best practices until January 31, 2018, after which they become mandatory requirements. These changes ensure that the standards are up to date with emerging threats and changes in the market. The most significant change is the revised Requirement 8.3 regarding multi-factor authentication.
Some of these changes come in response to major hacking incidents in the U.S., including the Target and Home Depot data breaches where hackers obtained names, credit card numbers and other information about millions of people. The 2013 Target breach alone compromised 40 million customers’ payment card information and partially exposed another 70 million. After a long investigation, Target will pay $18.5 million in a security breach settlement. The retailer has spent $202 million on legal fees and other costs since the breach.
Requirement 8.3 and Multi-Factor Authentication
The first change to Requirement 8.3 is the introduction of the term “multi-factor authentication” rather than the previous term “two-factor authentication”, as two or more factors may be used. By changing this terminology, two factors of authentication becomes the minimum requirement.
The second and major change is to expand Requirement 8.3 into two sub-requirements, to require multi-factor authentication for all personnel with non-console administrative access, and all personnel with remote access to the CDE.
New Requirement 8.3.1 addresses multi-factor authentication for all personnel with non-console administrative access to the CDE, where “non-console access” refers to logical access that occurs over a network rather than via a direct physical connection, including access from within internal networks as well as access from external or remote networks.
New Requirement 8.3.2 incorporates the former Requirement 8.3, and addresses multi-factor authentication for all personnel with remote access to the CDE. This requirement is intended to apply to all personnel – including general users, administrators and vendors (for support and maintenance) with remote access to the network – where that remote access could lead to access to the CDE.
Multi-factor authentication requires the use of at least two of the three authentication factors as described in PCI DSS Requirement 8.2:
The sector is already fully aware of this definition, but they still struggle with how to implement these different authentication factors.
The PCI SSC also mentions other factors: “Other types of information, such as geolocation and time, may be additionally included in the authentication process; however, at least two of the three factors identified above must always be used. For example, geolocation and time data may be used to restrict remote access to an entity’s network in accordance with an individual’s work schedule. While the use of these additional criteria may further reduce the risk of account hijacking or malicious activity, the remote access method must still require authentication via at least two of the following factors: something you know, something you have, and something you are.”
The MFA should be implemented with authentication mechanisms that are independent of each other, to avoid that access to one factor does grant access to any other factor, and the compromise of one factor does not affect the integrity or confidentiality of any other factor.
Some of the pitfalls described by the PCI SSC:
To avoid any misuse of the authentication factors, they need to be protected from unauthorized access and use, as defined in PCI DSS Requirement 8. In addition, “where any authentication elements rely on a multi-purpose consumer device – e.g. mobile phones and tablets – controls should also be in place to mitigate the risk of the device being compromised.”
PCI DSS requires that all factors in multi-factor authentication are verified together, prior to obtaining access to the system. If a user can obtain the knowledge of the success or failure before all factors have been submitted, the overall authentication process becomes a multi-step, single-factor authentication, even if a different factor is used for each step. This is not compliant with the multi-factor authentication requirement.
In the last section of this Information Supplement, the PCI SSC describes four multi-factor authentication scenarios that clarify the different conditions for the authentication factors and how best to implement them.
With less than three months before the PCI DSS Requirement 8.3 takes effect, it is time for action. I am convinced the Information Supplement – Multi-Factor Authentication version 1.0 is a good starting point as you prepare to review, implement or upgrade your multi-factor authentication solutions.
As a Gold Partner of the event, Vasco will be presented at PSD2, New Business Models – Fintech Banking Summit, which takes place on 28 & 29 of November at Romanian Banking Institute, in Bucharest. The company will be represented by ALEXANDER KUZNETSOVBUSINESS SOLUTIONS MANAGER.
More details regarding speakers and tickets can be found on the web platform of the event, www.nocashevents.ro: “European payment landscape is changing. Be ready!”
Source: Vasco Data Security
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: