For PCI Multi-Factor Authentication is Now Required for Everyone…and You Better Hurry

The “Payment Card Industry Data Security Standard” (PCI DSS) has long been a security and compliance driver for merchants, banks, hospitals, governments and anyone else that handles payment card information. PCI DSS standards are very prescriptive on what is expected in order to secure payment card data at rest and in motion, and also to require individual accountability while limiting access to only those with a need to know. Recently, the PCI council announced the latest release of PCI DSS version 3.2. This update includes 47 total clarifications, eight evolving requirements and three additional items of guidance. One of the evolving requirements now specifically requires multi-factor authentication (MFA) into the cardholder data environment (CDE).

It turns out that requirement eight, “Identify and authenticate access to system components,” has actually required MFA since version 1.0, but only for remote access from external networks into the CDE. However PCI DSS 3.2 section 8.3 now requires multi-factor authentication for all personnel with administrative access, not just personnel with remote access to the CDE. 

Troy Leach, PCI Security Standards Council Chief Technology Officer clarifies this further by stating,

[A] significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network…The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.

This is an significant change because the PCI council is now reflecting the real world facts that even our internal networks and users need to employ additional layers of protection. As discussed in previous posts, compromised credentials are the leading vector of cyber attacks. That is why a single password by itself can no longer be considered adequate protection as reflected in this new PCI requirement. 

Centrify has helped countless companies improve PCI compliance with capabilities such as:

  • Privileged Access Security for restricting access to the CDE to those with a need to know, proactively managing system passwords and eliminating vendor supplied defaults.
  • Identity Consolidation to ensure individual accountability and assign a unique ID to each person with access.
  • Audit and Compliance to track, monitor and record all access to network resources and cardholder data.
  • Isolation and Encryption to ensure firewall configuration to protect cardholder data and to encrypt transmission of cardholder data across open, public networks.

Importantly Centrify also provides:

  • Multi-factor Authentication for any personnel, local or remote, with administrative access into the cardholder data environment (CDE), even if they are within a trusted network.

MFA Everywhere

In fact, Centrify has the ideal solution for providing MFA into PCI systems and applications by leveraging users’ mobile devices for hassle-free MFA. Choose from push notifications, secure OTP, SMS, email, voice and more. You can even augment the solution with adaptive, step-up and customized per-app MFA policies.

Not only that, but users love the MFA experience that Centrify provides. Easy one-click access for end users and centrally managed access for IT.

But why bandaid the problem with MFA for just access to your CDE. This puts up productivity hurdles for your users and leaves gaps in your security posture. Instead, look to enforce a single MFA policy across all of your internal and external users across your servers, apps and devices, regardless of whether they are on-premises or in the cloud? Only Centrify secures access to both IT infrastructure and apps for all users in an increasingly cloud and mobile world. 

Centrify protects against the leading point of attack used in data breaches ― compromised credentials — by securing an enterprise’s internal and external users as well as its privileged IT accounts. Centrify delivers stronger security, continuous compliance (including PCI DSS 3.2) and enhanced user productivity across an enterprise’s on-premise servers, apps and networks as well as its mobile, IaaS and SaaS environment through single sign-on (SSO), MFA, mobile and Mac management and privileged access security

The time to adopt MFA across your entire enterprise is now. 

Not just because the new PCI 8.3 multi-factor requirement must be in place in the next 18 months.

Not just because the White House is encouraging everyone to move beyond just passwords. 

But, because it is the right thing to do to protect your business, to protect your job and, most importantly, to protect your customers.