PCI SSC issues multi-factor authentication guidance

pci-councilAttackers continue to compromise valid credentials to access company networks and steal data. To help organizations combat this growing threat, the PCI Security Standards Council (PCI SSC) has issued guidance on what they consider to be the proper use of multi-factor authentication for preventing unauthorized access to computers and systems that process payment transactions.

Multi-factor authentication (MFA) is widely used across industries as a security best practice to authorize access to a network or system. In addition to identification credentials (such as a unique username), the method requires an individual to present a minimum of two separate forms of authentication credentials, such as a password plus a one-time pass-code, before access is granted.

The PCI Data Security Standard (PCI DSS) has always required MFA for remote access (originating from outside a company’s network). Effective 1 February 2018, MFA will also be required for administrative personnel with non-console access (administered or managed over a network) to computers and systems handling cardholder data (the cardholder data environment).

“Multi-factor authentication prevents use of a password alone to verify a user, thereby providing assurance that users are who they claim to be. As with any security control, however, it is only as good as its implementation,” said PCI SSC Chief Technology Officer Troy Leach. “This guidance will help organizations using, evaluating or upgrading an MFA solution understand how to implement it properly and securely.”

The Multi-Factor Authentication Information Supplement provides industry-accepted principles and best practices for implementing MFA securely. It also includes considerations for common implementation scenarios.

“As criminals continue to target valid credentials, authenticating the user, the payment transaction and the integrity of the payment instrument will become increasingly important to protect. The security principles in this document provide guidance to ensure payments and supporting technology are being used as intended and provide a roadmap for future security considerations,” said PCI SSC General Manager Stephen W. Orfei.

Tags: , ,

Categories: Security

CONNECT with Contactless Intelligence

Connect with us here

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: