Passwords are no longer a sufficient means of controlling access to sensitive data, so the Payment Card Industry Security Standards Council (PCI SSC) is doing something about it. They are now recommending that organizations bolster access security with multi-factor authentication.
Why all the fuss?
Quite simply, compromised passwords are the leading cause of data breaches. This situation is reinforced by findings in the 2016 Verizon Data Breach Investigations Report.
Multi-factor authentication (MFA) will be considered a “best practice” until February 2018. After that, multi-factor authentication will be required for compliance with the PCI standard. With that in mind, the SSC is encouraging organizations to adopt multi-factor authentication as soon as possible.
While two-factor authentication (2FA) involves having two different forms of authentication – such as a username and PIN or password – MFA implies an additional factor (or more), such as the answer to a personal question. Biometric data can also be part of the mix.
Under the PCI’s requirement for MFA, individuals with “non-console” administrative access to systems that handle credit card data must authenticate using MFA. “Non-console” administrative access refers to any system that is accessed over a network, as opposed to the system’s local screen and keyboard. For example, if the system is accessed via a web-based interface, remote desktop software or terminal services, the user must be authenticated via MFA.
It is simply a matter of time before MFA is accepted as a best practice and is routinely applied across organizations. It is also a matter of time before federal regulators make MFA mandatory across the financial sector. The European Union is already framing legislation that imposes draconian fines on organizations that fall victim to security breaches while failing to implement MFA.
If your organization relies on payment processing services, PCI DSS Gap Analyses and Remediations, annual audits, and quarterly scanning are essential for achieving compliance objectives. DataLink can help you get where you need to be. Contact us today: 410.729.0440 or sales@DataLinkTech.com.
