PCI Multi Factor Authentication Requirements and Checklist

Multi-factor Authentication (MFA) is a security system that requires multiple credentials to authenticate the user. Instead of just a username and password, MFA needs additional passwords such as user device code, security question response, fingerprint, or face recognition.

Multi-factor Authentication (MFA) aims to provide a higher security and authentication level for users trying to access a resource such as physical location, mobile device, network, or database. In this way, MFA’s use provides a multi-layered system that an unauthorized person must breach to access the system.

The PCI DSS requires multi-factor authentication (MFA) mechanism for remote access to the Cardholder Data Environment (CDE).

What are the Authentication Factors?

The MFA authentication process must include two or more of the three authentication methods specified in PCI DSS Requirement 8.2. The authentication factors identified for MFA are as follows:

  1. Something you know, such as a passphrase or a password. This method involves verifying user-provided information such as password, PIN, or confidential question answer.
  2. Something you own, such as a token device or smart card. This method involves verifying a particular item held by a person, such as a physical or logical security token, a one-time password (OTP), key, access card, or SIM card for the phone. For mobile authentication, an ownership item is usually provided by a smartphone combined with OTP software or a device containing cryptographic content.
  3. Something you are like biometrics. This method includes verification of human-specific features such as retinal scans, iris scans, fingerprint scans, finger vein scans, face recognition, voice recognition, and hand geometry.

Other types of information, such as geographic location and time, may be included in the authentication process. Still, at least two of the three variables mentioned above must always be included for authentication to be multi-factor.

Using multiple factors in authentication will further reduce the risk of account hijacking or malicious behavior. In short, for authentication to be multifactorial, it must provide at least two of the factors of something you have, something you know, and something you have.

You can find application examples of multi-factor authentication below:

At the ATM: To withdraw money from the ATM, you must insert your card and enter your PIN code. This example uses the factors “Something you have” (debit card) and “Something you know” (PIN).

In the workplace: To gain access to a data center’s sensitive areas, an employee must scan their ID card and fingerprint. This example uses the factors “something you have” (ID card) and “something you have” (fingerprint).

How to Ensure the Independence of Authentication Mechanisms?

Authentication methods used for MFA should be such that exposure to one factor does not allow access to another direction. Also, the misuse of any element should be separate from each other to not affect the integrity or confidentiality of other factors.

For example, if the same set of credentials such as username and password are used as an authentication factor and gain access to an email account to which a secondary factor such as a one-time password is sent, these factors are not independent.

Similarly, the digital certificate secured with the same credentials used to log on to a laptop computer and stored on the same computer is not independent.

To maintain factor independence, access to one factor should not automatically enable access to an additional element. For example, if you want to use the laptop login name and an open SSH key certificate file on the same laptop, this will not provide factor independence. With a setup like this, you’ll need more server-side verified factors like Google authentication.

What is Out-of-Band Authentication?

Out-of-band (OOB) authentication refers to authentication processes in which their mechanisms are distributed over different networks or channels. In other words, factors transmitted through separate, secure tracks are defined as “out-of-band authentication.”

In cases where authentication factors are transmitted over a single channel, a malicious user who takes control of the device will have the ability to bypass all authentication factors.

Care should be taken when using a smartphone or other device to establish a remote connection via a VPN or SSH. If you use the same tool to sign in and get a one-time password or google authorization, this factor takes away your independence.

Also, be aware of who owns such a device. If your text message notifications pop up and appear automatically on your phone screen, you may accidentally show someone your second-factor information.

Previously, forwarding a one-time password (OTP) to a smartphone was seen as an efficient out-of-band process. However, OTP’s effectiveness as a secondary factor is effectively overridden when the same device is used to send the OTP.

The out-of-band authentication system is an additional control that can improve the multi-factor authentication security level. Extra security measures should be developed to determine that the person using authentication in out-of-band communication is the authorized user who has the authentication factor.

How to Protect Authentication Factors?

To prevent misuse of authentication mechanisms, it is first necessary to protect authentication data integrity and confidentiality. The controls outlined in PCI DSS Requirement 8 are intended to safeguard authentication data from unauthorized access and use. For example:

  • Passwords and other “something you know” must be difficult to guess or protected from brute force attacks.
  • Biometric and other “something you are” must be protected from unauthorized repetition or use by others accessing the device where the data is being stored.
  • Smart cards, electronic certificates, and other “things you have” should not be exchanged and should be protected from being copied or seized by unauthorized persons.

Any authentication element is connected to a device; additional controls should be available to reduce the risk of compromising the system.

Whatever your factor is, you must protect it. If your element is “something you know,” you should use strong password policies. If your factor is biometric data or “something you are,” you must make sure that it cannot be duplicated. If your element is “something you have,” make sure you do not share this data with anyone else, for example, your colleagues.

What are the Differences between Multi-step and Multi-Factor Authentication?

The terms multi-factor authentication and multi-step authentication are often confused or used interchangeably. However, these two authentication methods have different functions, and understanding the difference between them is also very important for access security.

Multi-factor authentication (MFA) refers to the use of multiple forms of authentication. A minimum of two different factors should be used for authentication. In case attackers steal your password, they must also go through a completely different authentication method to gain access.

For example, there are two types of factors in facial recognition and password authentication used on phones. What a user has (face), and something known to the user (password) is used for authentication. Therefore, this form of authentication could technically be called an MFA.

Commonly used username and password authentication methods fall under the single-factor authentication (SFA) method because the username and password are both parts of the same category. Because in this case, each username and password are also pieces of information known to the user.

There are multiple steps in multi-step authentication. However, the steps use the same form of authentication. Using only two steps instead of different factors in authentication is called two-step authentication.

Scenarios such as using two different passwords to authenticate on a device or using two forms of biometric authentication, such as retinal scanning and fingerprinting on a system, are examples of multi-step are not the same as multi-factor authentication.

Multi-factor authentication is more secure than multi-step authentication. To gain access to any of your devices, malicious people need to access your personal information, own a physical item, or impersonate your biometric data.

PCI DSS requires that all authentication factors be verified before authentication. Besides, the user should not be informed about the success or failure of any element until all matters have been identified.

If an unauthorized person gains any authentication factor, the final authentication process will become a single factor authentication step, even if a different factor is used for each phase.

For example, if a person is successfully verified in the first verification factor and then uses the same or similar credentials in the second verification factor, this is called “multi-step” authentication.

A multi-step and multi-factor authentication mechanism can be used in the same environment. For example, an individual might perform an authentication step to log into a device to gain access to the CDE before initiating a separate MFA process.

An example of this situation is a remote access user entering his password to log into a company laptop. In such access, the individual can establish a VPN connection to the organization’s network using a combination of credentials and a physical smart card or hardware token.

PCI Multifactor Authentication Checklist

See Also: PCI DSS Requirement 8 Explained

PCI DSS requires the use of MFA for remote access and console external administrator access. Therefore, understanding the six MFA points below will help you prepare for your next PCI compliance check.

MFA is mandatory for managers.

Administrators should always use MFA per PCI DSS 8.3.1 requirement for non-console access to the cardholder data environment (CDE). PCI SSC defines non-console accesses as accesses to the system component over a network interface rather than through a direct physical connection. This includes all access from internal, external, or remote networks.

Non-administrators may also need to use MFA.

MFA must also be used for remote connections to the cardholder data environment (CDE) under PCI DSS requirement 8.3.2. This includes administrative or non-administrative staff and third-party users who have remote access to your network.

It is necessary to use at least two of the three authentication factors.

You must use at least two of the three authentication mechanisms allowed under PCI DSS Requirement 8.2.

  • Something you know, such as a password
  • Something you own, such as a Token device or a smart card
  • Something you are, a biometric such as your fingerprint

For Multi-Factor Authentication, you can use additional authentication factors such as geographic location and time, but still, need to use at least two of the three factors offered.

Authentication methods should not be interconnected.

Users who authenticate using one method should not be able to access the second authenticator automatically. This precaution is to prevent one factor from endangering another.

For example, using the same login credentials on the email account to which the one-time password used as the second authentication factor to verify network access is sent means that the methods are interlinked.

Mechanisms for authenticating should be independent of one another. Such access to one factor should not grant access to another, and compromising any aspect should not affect the integrity or confidentiality of other factors.

Multi-factor authentication is more powerful.

The more factors used during the authentication process, the more assurance the user is who he claims to be. It is not uncommon for users to choose weak passwords easily guessed or brute-forced or have already been leaked due to database breaches.

Authentication through a single channel reduces multi-factor authentication effectiveness, such as entering credentials on the same computer from which you received the one-time password, according to the PCI Security Standards Council (SSC) guidelines.

PCI SSC recommends using out-of-band (OOB) authentication to increase the MFA assurance level. Authentication methods are distributed with OOB through different channels. Thus, a user cannot use a compromised device to access networks.

All factors must be validated.

Successful single-factor authentication is not sufficient to maintain compliance with PCI’s current MFA requirements. Until access is granted, all factors must be verified.

Therefore, PCI DSS requires the user not to have prior knowledge of the success or failure of any factor until all factors are presented.

Can I use a jump box to fulfill the PCI MFA requirement?

You can implement a jump box where all users must use MFA before connecting to the CDE. The jump box is the server that creates a buffer between you and the network.

Instead of logging in directly to the CDE, users are first directed to the jump box and then to the CDE. Businesses often use jump boxes to get into their CDEs without using multi-factor authentication for each component.

Usually, the jumper is the endpoint for all SSH and other secure end-user connections between CDE and non-CDE. Depending on how the jump box is implemented, you will have another secure connection between end-users other than CDE and the jump box like RDP, SSH, and TLS.

Which applications should have multi-factor authentication?

Below is a sample list of applications that require multi-factor authentication:

  • Remote access technologies
  • Cloud storage used for sensitive documents
  • Email accounts
  • Cloud computing management interfaces
  • Hosting services
  • Password management tools
  • Any account with access to sensitive information

It should be noted that multi-factor authentication is an additional security layer that must be applied to all your sensitive data.

What is the future of authentication?

Two-factor or multi-factor protection is, of course, not perfect, but it will make a hacker’s job more difficult. The primary purpose of multi-factor authentication is to create an additional protective layer for your data.

Multi-factor authentication will invalidate single-factor passwords in the future. Moreover, there will be many more options for second-factor authentication, such as vein scanners and microchip implants.

In the future, perhaps the attackers will become so complicated that the new norm will be three-factor authentication. However, many factors are one of the applications that companies can and should do to provide more security.

For detailed information, you can review the PCI SSC Information Supplement: Multifactor Authentication Guidance.

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

The Controversy and Importance of Ethical Hacking

Ethical hackers are essentially people who can use the same techniques as cyber criminals, but they do not use them to steal information.

VPN uses: 7 things you didn’t know a VPN could do

Virtual Private Networks, or VPNs, are mostly used for online privacy. But they are much more than that and can help you in various situations.

Understanding the Criminal’s Mind: Why You Must Be Careful Online

This article overviews the most common and most dangerous online crime methods and the people behind them.

Related posts

Latest posts

The Controversy and Importance of Ethical Hacking

Ethical hackers are essentially people who can use the same techniques as cyber criminals, but they do not use them to steal information.

VPN uses: 7 things you didn’t know a VPN could do

Virtual Private Networks, or VPNs, are mostly used for online privacy. But they are much more than that and can help you in various situations.

Understanding the Criminal’s Mind: Why You Must Be Careful Online

This article overviews the most common and most dangerous online crime methods and the people behind them.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!