After more than 10 years in existence, the PCI Data Security Standard (PCI DSS) is globally recognized and accepted as a mature industry standard. It’s most recent iteration -- PCI DSS version 3.2 -- focuses on confirming that security controls are in place and operating effectively, and that processes are followed throughout the year and not just during the annual validation. PCI DSS 3.2 aims to help organizations focus attention on critical controls, make improvements that will help mitigate current points of attack, and evaluate opportunities for devaluing card data.
Multi-factor authentication – or MFA -- is one of these critical controls for defending against the myriad of threats to account data. One of the most significant changes in PCI DSS 3.2 is the expansion of PCI DSS Requirement 8.3, which requires the use of multi-factor authentication for administrators accessing the cardholder data environment.
Compromise after compromise show that whatever method a hacker uses to get in to a company’s network, their goal is to find any device on which they can gain administrative rights. Once they have that, they can move throughout the network, gaining administrative rights on more and more machines until they find the cardholder data. The recent 2016 Verizon Data Breach Investigation Report notes that breaches took advantage of static, single-factor authentication, with attackers working even harder to compromise valid credentials to access environments.
Multi-factor authentication (MFA) provides additional assurance that the individual attempting to gain access is who they claim to be.
Going one step further
The PCI DSS has always required that any untrusted, remote access into the cardholder data environment use multi-factor authentication. With version 3.2 we’re taking it one step further to help organizations protect against both internal and external actors. With PCI DSS 3.2, MFA is also required for personnel with non-console administrative access into the cardholder data environment – even where that access originates from within an organization’s trusted network.
Required use of MFA will encourage companies to implement strong access control measures so that authorized individuals with network and computer administrative access can be monitored and traced. Examples of factors include something you know, such as a password or passphrase; something you have, such as a hardware token or smart card; or something you are, such as a biometric.
Organizations have until have until January 31, 2018 to deploy MFA. As of February 1, 2018 it will be a requirement of PCI DSS, not simply a recommended “best practice.”
Making the Move to MFA
It’s critical for organizations to understand that this requirement applies to all non-console administrative access into the cardholder data environment, even from within a company’s own network. The requirement applies to any administrator, third party or internal individuals who have the ability to change systems and other credentials within that network to potentially compromise the security of the environment. For example, depending on the particular operating system and organizational structure, it could apply to functions or titles such as “superuser,” “root,” “administrator,” “admin” “sysadmin” or “supervisor-state.”
This requirement is intended for authentication of personnel – it does not impact machine authentication where one system is communicating with another – nor will it impact administrators accessing directly from the console.
As a first step, organizations should review how they are currently managing authentication into their cardholder data environment, and review the current administrator roles and access methods to identify where changes to authentication may likely be impacted by this new requirement.
MFA can be performed either at the network level or system level. One common approach is to consolidate administration points into the cardholder data environment (CDE), for example via a jump server. Consolidation offers several benefits including fewer (or just one) points to manage the multi-factor authentication and centralized management and monitoring of all administrative access into the CDE.
The incremental revisions in 3.2 provide an opportunity to address a few critical security risks, starting with administrative access into the cardholder data environment, and evaluate approaches for how best to accept payments securely in the future. Where organizations are able to devalue card data with technologies like point-to-point encryption and tokenization, PCI DSS efforts can be more focused, compliance reporting more concentrated and most importantly, areas where cardholder data must still be used can be better monitored and protected.