PCI DSS v4.0 and Multi-Factor Authentication

With the introduction of version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), there has been a significant increase in the adoption of multi-factor authentication (MFA) to ensure PCI compliance. In this blog, we will explore the reasons behind the greater utilization of MFA and outline the key changes in requirements. Before delving into these aspects, let's start with the basics and define MFA. It is a process that requires users to provide two or more independent authentication factors to gain access to a system, account, or application, which is essential for maintaining PCI compliance. The most common form of MFA is based on the principle of "something you know" and "something you have." Many people are familiar with the two-step process of entering a password and then verifying their identity by submitting a one-time code received on their personal mobile device. The purpose of MFA is to enhance the security of user accounts by adding additional layers of authentication, making it more challenging for attackers to compromise them and ensuring compliance with PCI standards.

What about MFA in relation to PCI DSS?

While multi-factor authentication (MFA) has been mentioned in previous versions of the PCI DSS, the extent of its references and requirements has undergone significant changes in version 4.0. In PCI DSS v3, MFA was only mandated in two specific scenarios: for administrative access to the cardholder data environment (CDE) and for remote access to the scope from outside the organization's network. In practice, many organizations addressed the second requirement by implementing a jump box within their corporate network. This allowed remote connections to the PCI scope solely from the jump box, effectively eliminating the need for remote access from outside their network.

However, with the release of PCI DSS v4.0, there has been a notable shift in the scale and scope of MFA requirements. The new version places a stronger emphasis on the implementation of MFA across various areas, expanding beyond the previous limited use cases. This signifies a recognition of the benefits of MFA in enhancing security and mitigating the risks of unauthorized access to cardholder data.

Why are we seeing increased requirements for MFA in v4.0?

Indeed, there are a couple of factors contributing to the increased adoption of multi-factor authentication (MFA) in version 4.0 of the PCI DSS.

Firstly, the limited use of MFA in earlier versions was primarily due to practical challenges associated with deploying suitable MFA systems. Implementing MFA was often seen as difficult and cumbersome. However, with the proliferation of mobile devices and the availability of user-friendly apps, the process of implementing MFA has become significantly easier and more accessible for organizations.

Secondly, the Payment Card Industry Security Standards Council (PCI SSC) has introduced additional MFA requirements in response to the evolving security landscape and the need for stronger data protection measures. The increased use of cloud services and the surge in online transactions have heightened the risk of data breaches. Furthermore, cyber attackers have become more sophisticated in their methods. To address these challenges, organizations have recognized the need for stronger security measures, and MFA has emerged as an effective way to enhance security and protect payment card data.

The combination of improved technological capabilities and the need for enhanced security has led to the expanded adoption of MFA in PCI DSS v4.0.

So what new MFA requirements have been made with PCI DSS v4.0?

The introduction of PCI DSS v4.0 brings significant changes to the use of multi-factor authentication (MFA) in accessing the cardholder data environment (CDE).

The first major change is the requirement for MFA for all access to the CDE. This means that any user accessing a device within the CDE must utilize multiple factors for authentication. While there are exceptions for sales staff using point-of-sale (POS) or till devices, implementing MFA for CDE access should generally be straightforward. There are numerous MFA systems available on the market that integrate with Active Directory (AD), and the latest version of AD offers native support for Microsoft Authenticator. However, it does require careful implementation and proper configuration. Additionally, staff may require training to effectively use MFA.

The second significant change is the requirement for MFA in remote access that could potentially lead to access to the CDE. This means that if an account has the capability to access the CDE, MFA must be used when accessing it remotely, regardless of whether the user actually accesses the CDE during a particular session. Even in the jump-box scenario mentioned earlier, where remote connections are restricted to the PCI scope through a jump box, users logging into the jump box will still need to employ MFA if they have access to the CDE. Implementing MFA in this context is not complex, as previously explained.

It's worth noting that the requirement for MFA is becoming increasingly common in various security frameworks. For example, the UK government-backed Cyber Essentials scheme, primarily aimed at small and medium-sized businesses, now mandates some form of MFA for users of cloud services. This demonstrates the growing recognition of MFA as a standard security practice.

Need for double dose of MFA

It is crucial to highlight that according to the Standard, the requirement for multi-factor authentication (MFA) for "any remote access" is distinct from the requirement for "access to the cardholder data environment (CDE)". This means that users logging in remotely to the CDE must undergo MFA twice, on separate occasions: once when they remotely log in and again when they log into the CDE device.

From a technical standpoint, implementing this dual MFA process is relatively straightforward. However, there may be challenges in terms of staff acceptance and engagement, as the process may be perceived as burdensome or time-consuming. Therefore, it is important to emphasize the increased risks associated with remote access to the CDE and to educate users about these risks. By raising awareness of the potential threats and emphasizing the importance of robust security measures, organizations can foster a stronger understanding among staff members and promote their buy-in to the MFA requirements.

Efforts to educate and communicate the rationale behind the increased MFA measures can help mitigate any potential resistance or reluctance from users. By emphasizing the criticality of protecting cardholder data and the potential consequences of security breaches, organizations can encourage staff members to recognize the importance of adhering to the MFA requirements for remote access to the CDE.

Is there any reduction in administrative burden?

A notable benefit of the MFA requirements in PCI DSS v4.0 is that accounts using MFA are no longer mandated to change passwords every 90 days, which is a relief during a PCI audit. This change acknowledges the challenges associated with enforcing frequent password changes, as users often resist this practice, potentially leading to weaker security measures like writing passwords down. By eliminating this requirement, organizations can eliminate the burden of regularly changing passwords and mitigate the associated risks during PCI audits.

In summary, the MFA changes introduced in v4.0 are considered a positive step in terms of security and PCI compliance. With the widespread availability of MFA applications, implementing these requirements should be relatively straightforward during PCI audits. Leveraging MFA enhances security by adding an extra layer of authentication to user access, reducing the risks of unauthorized access and data breaches, thereby satisfying PCI audit requirements. Overall, embracing MFA as a security measure aligns with industry best practices and contributes to a more robust security posture during PCI audits.

Want to learn more about other key changes being introduced by PCI DSS v4.0?

To register for our upcoming webinar, "PCI DSS - Preparing for v4.0," scheduled for Wednesday, February 22, please provide your contact information in the form below. We will send you a confirmation email with further details and instructions on how to join the webinar. Thank you for your interest, and we look forward to your participation!