The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure organizations that accept, process, store or transmit payment card data do so in a secure manner. A key change with PCI DSS v4.0 are the new requirements related to multi-factor authentication (MFA). MFA is a security mechanism requiring users to provide two or more forms of authentication to gain access to a system or application. Whereas a username and/or password would traditionally be considered sufficient to gain access, MFA requires at least two of the following forms of authentication: something you know (e.g., a username/password), something you have (e.g., a digital or physical token) and something you are (e.g., biometric such as a fingerprints, facial recognition or voice recognition). Although the requirement to leverage MFA is not new to PCI DSS v4.0, the new standard provides much-needed guidance on how and where this technology must be used to protect the cardholder data environment.
As with the former standard (v.3.2.1), v.4.0 requires MFA for all non-console administrative access to any payment systems or devices in the cardholder data environment; this includes both remote access to the entity network as well as access through external service providers. However, the new standard mandates MFA be implemented for all individual access to cardholder data rather than just personnel with administrative access.
In addition to expanding MFA requirements, PCI DSS v.4.0 provides new guidance on the use of biometrics and other authentication methods. While the new standard recognizes that biometrics can provide a high level of security, it also takes into consideration they can be vulnerable to certain types of attacks, such as spoofing or replay attacks.
To address these concerns, PCI DSS v.4.0 now focuses on the need to ensure biometric data is securely stored and transmitted and appropriate safeguards are in place to prevent attacks. Guidance has also been updated to recommend the use of additional factors of authentication such as one-time passwords or physical tokens to provide additional security beyond biometrics.
Overall, the updated authentication requirements in PCI DSS v.4.0 reflect the growing importance of MFA and other advanced authentication methods in today’s threat landscape. With these new requirements related to MFA and updated guidance providing more options to implement strong authentication while leveraging biometrics, the PCI SSC is helping organizations better protect against unauthorized access to sensitive data, thereby protecting their brand reputation, consumer trust and profitability.
For more information or to connect with a Frazier & Deeter QSA, please contact:
Mindy Milliet, Partner, PCI | mindy.milliet@frazierdeeter.com
Aaron Getchius, Director, PCI | aaron.getchius@frazierdeeter.com