#PCI DSS Requirement 8.3 – MFA – Mandated from 1st February 2018

News and information from the Advent IM team.

From Senior Security Consultant, Mark Jones

Assumption:

 

Readers already have an understanding of the PCI DSS and/or already compliant with the standard and Requirement 8.3.

The Issue:

 

Currently, under the PCI DSS v3.2 standard Requirement 8.3 Multi-Factor Authentication (MFA) it is only considered ‘best practice’ but from 1st February 2018 it will be mandated to maintain compliance for all users who have access to the Cardholder Data Environment (CDE) both locally and remotely. Recent versions of the standard required two factor authentication (2FA) for any untrusted, remote access into the CDE. The revised Requirement 8.3 requires organizations to extend multi-factor authentication to all users, whether in the office, or accessing systems remotely, as well as privileged access for administrators, so even if an organization already has 2FA for remote users, they will now need to extend to users accessing systems when in the office as well. A single password alone is not now enough to verify a user’s identity and grant access to sensitive information.

MFA under the standard is defined as (in addition to assigning a unique ID) as two or more of the following methods that is used to authenticate all users?

  • Something you know, such as a password or passphrase;
  • Something you have, such as a token device or smart card; and/or
  • Something you are, such as a biometric.

Note: Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication!

Who is affected:

The need to be compliant with 8.3 will apply to ALL Third Parties (including Vendors) who access the CDE remotely and those merchants who have (or are in the process of seeking) Attestation of Certification (AoC) with SAQs A-EP, B-IP, C and D (for Merchants and Service Providers).

It does not apply to holders of SAQs A, B, C-VT and P2PE AoCs.

 Things for businesses to consider:

With the industry-acknowledged ever increasing cyber threats and risks to business information and highly sensitive data such as Cardholder Data (CHD), it is vital that businesses have robust identity and authentication solutions in place to provide the necessary assurance to the Board, employees and its customers. When implementing MFA, the things businesses need to consider include:

  • Simplicity of implementation and future scalability;
  • Use with mobile, analytics and cloud-based services;
  • Mapping to the business risk and needs of users;
  • Centralised management, control and administration of all users and end points;
  • Integration with other security measures to further enhance protection.

A recent study[1] concluded that positive user experience of MFA is an important selection criteria across all use cases alongside trust and total cost of ownership. The use of a mobile phone as the token in a MFA solution for accessing high-risk privileged access is commonplace. Mobile biometric authentication methods such as the use of fingerprints are gaining use especially within mobile banking apps with other biometric modes such as the use of face, voice, and eyes beginning to appear in the market place. That said, smart cards and other public-key hardware tokens are the most technically mature and most popular alternatives to passwords for Windows PC and network login. Other options include the use of user certificates on the endpoint device that possibly takes advantage of in-built hardware protection (‘virtual smart card’).

Recommendations:

The referenced study included the following main recommendations:

  1. Use authentication methods that provide the necessary balance among trust (authentication strength and accountability), total cost of ownership and user experience; and
  2. Assess vendors for breadth of capability, experience and expertise in your market sector.

End Note – Other 2018 PCI DSS Change:

In addition to PCI DSS Requirement 8.3 moving from ‘best practice’ to being a mandated requirement with effect 1st February 2018,so  is Requirement 6.4.6:

 

‘Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable?’

PART 2 of  post

 

[1] Gartner’s Market Guide for User Authentication (23 November 2016)


 

Share this Post