No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Businesses Must Go Beyond Multifactor Authentication to Achieve PCI Compliance

Stronger Authentication Requirements are Essential as Cashless Spending Increases

by Shahrokh Shahidzadeh
April 12, 2019
in Compliance, Featured
credit card chip as padlock

As consumers increasingly rely on cashless spending, the PCI SSC has identified a process to secure cardholder data. Acceptto CEO Shahrokh Shahidzadeh discusses why it’s time to replace password-based credentials.

According to a recent study by the PEW Research Center, consumers in the U.S. are relying less on physical currency. The report found that “roughly three in 10 U.S. adults (29 percent) say they make no purchases using cash during a typical week.” In addition, a generational trend shows that “Americans under the age of 50 are more likely than those ages 50 and older to say they don’t really worry much about having cash on hand.”

As American consumers increasingly rely on cashless spending, it is no wonder that the Payment Card Industry Data Security Standard (PCI DSS) arose to develop a set of requirements applying to companies of any size that accept credit card payments.

The PCI DSS requirements now mandate multifactor authentication (MFA) for access to the cardholder data environment for all non-console access, and it recommends the use of MFA for remote access to customer networks.

These requirements bring up a common argument: replacing traditional password-based implementations is expensive, and the integration effort is too complex to accommodate.

Regardless of complexity, password-based credentials need to be replaced so businesses can adhere to and meet PCI requirements. In today’s web-based application environments, it is imperative that strong authentication requirements are met in an effort to protect businesses and customers alike. 

Satisfying Credential Authentication Compliance

The Payment Card Industry Security Standards Council (PCI SSC) has identified a three-step process to maximize the security of cardholder data. They recommend to continuously monitor and enforce the use of controls specified in the PCI DSS and suggest that organizers approach this as a process and not a one-time (or even just annual) project. The continuous process recommended is:

  • Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing and analyzing them for vulnerabilities.
  • Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
  • Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

Ultimately, the council will not enforce a specific company’s compliance to its standards. However, individual payment brands or acquiring banks will take these standards very seriously and potentially revoke an organization’s ability to execute credit card transactions. For some organizations, this failure to meet compliance can cost thousands to millions. This means that businesses will need an immutable way to identify the credentials of credit card administrators, along with their online customers. The financial institutions both large and small that are supporting core banking vendors and other players in the ecosystem need to adopt modern solutions that enable context-aware, risk-based authentication. These solutions should go beyond the old binary authentication solutions, including the MFA solutions employed today.

PCI DSS 3.2.1 Requirement 8.3

Since its early beginnings, PCI standards have mandated strong authentication requirements, initially as two-factor authentication. More recently, PCI standards explicitly request MFA. The acceptable methods of authentication continue to be:

  • Something you know, such as a password or passphrase
  • Something you have, such as a token device or smartcard and
  • Something you are, such as biometric credentials.

The PCI DSS 3.2.1 requirement 8.3 mandates MFA for access to the cardholder data environment (CDE) for all non-console access. It also recommends the use of MFA for all remote access to the customer networks.

PCI MFA Supplement

The PCI SSC released an information supplement on February 1, 2017 to address MFA and help secure remote user access.

The new supplement does not create any new requirements, but instead provides further guidance to help people understand the underlying principles of security so they can go the extra mile to truly protect their network. The overall security goal is clean, multifactor authentication into a critical network, from anywhere outside of that network.

The supplement also does a great job of getting down to the details of MFA by defining the terms and comparing authentication principles. It clears up some previous points of confusion, like what is really meant by “independence of factors,” “multistep” and “multifactor.”

A way of simplifying compliance and minimizing risk is to isolate the CDE from the company’s non-CDE environment. There are several ways companies can achieve this and pass an audit: namely physical isolation, logical isolation or compensatory controls.

Since access to the CDE is required as part of business as usual, it may (depending largely on the architecture of each environment) mean that organizations will need to have two separate sets of application gateways: one for CDE processing and another for non-CDE processing. It will also mean that the transactions and authentications that are tied to CDE will need to be processed in a different way (e.g., using a different application than the ones used for non-CDE).

In addition, data coming from the CDE should be aligned with PCI requirements. Finally, if the application gateway is being used to provide access to CDE, then access to the gateway must use MFA to identify the user.

Authentication for PCI Compliance

It should be noted that PCI DSS compliance is not a “nice to have” feature. For any retailer looking to execute credit card transactions, it is a “need to have” feature that protects consumers.

The PCI SSC says that if a company intends to accept card payment and store, process and transmit cardholder data, the company needs to host consumer data securely with a PCI-compliant hosting provider or meet very specific requirements to remain in compliance and avoid costly penalties. As cybercriminals figure out more effective ways to steal credentials, businesses should operate under the assumption that credentials have already been compromised. They should be striving to protect payment card information via stronger authentication requirements. Passwords have been proven to be insecure, even with the addition of MFA. To go a step beyond PCI compliance, retailers and financial institutions should consider alternate authentication methods through artificial intelligence modelling language (AIML) technology, which will enable frictionless authentication, prevent credential stuffing and dramatically reduce the likelihood of fraud.


Tags: Payment Card Industry Data Security Standard (PCI DSS)
Previous Post

The Bard and Compliance: Shakespeare’s Problem Plays

Next Post

How Organizations Can Manage Regulatory Change In an Era of Hyper-Regulatory Scrutiny

Shahrokh Shahidzadeh

Shahrokh Shahidzadeh

Shahrokh Shahidzadeh is the CEO of Acceptto, where he leads a team of technologists driving a paradigm shift in cybersecurity through Acceptto’s Cognitive Continuous Authentication TM technology. Shahrokh is a seasoned technologist and leader with 27 years of contribution to modern computer architecture, device identity, platform trust elevation, large IoT initiatives and Ambient Intelligence Research (AIR) with more than 20 issued and pending patents. Prior to Acceptto, Shahrokh was a senior principal technologist contributing to Intel Corporation for 25 years in a variety of leadership positions where he architected and led multiple billion-dollar product initiatives.

Related Posts

card payment standards

New Card Payment Security Standards Are Coming. What Do They Mean for Your Business?

by Uriel Maimon
September 7, 2022

In March, the Payment Card Industry Security Standards Council published Payment Card Industry Data Security Standard (PCI DSS) Version 4.0...

abstract 3d render of credit cards, which are governed by PCI DSS 4.0

Dissecting PCI DSS 4.0: How Companies Can Prepare to Achieve Compliance

by Chris Pin
September 22, 2021

In many spheres, PCI DSS is like the law of gravity: It affects just about everything. PCI DSS 4.0, the...

illustration of cybersecurity concept

VigiTrust Launches VigiOne Cybersecurity Compliance Platform for Managed Security Service Providers

by Corporate Compliance Insights
August 17, 2021

Easy-To-Use, Cost-Effective Solution Enables MSSPs to Keep Pace with Changing Regulations, Scale Effectively and Ensure Ongoing Compliance New York, NY...

A stick figure holds up a ceiling which appears to be collapsing.

Cybersecurity Protocols Are Squeezing Developers, Who Are Already in Short Supply

by Trevor Morgan
August 10, 2021

Data security principles codified in cybersecurity protocols like GDPR, CCPA, PCI DSS and others are raising protection standards. They also...

Next Post
closeup of microscope lenses

How Organizations Can Manage Regulatory Change In an Era of Hyper-Regulatory Scrutiny

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT