Businesses Must Go Beyond Multifactor Authentication to Achieve PCI Compliance

According to a recent study by the PEW Research Center, consumers in the U.S. are relying less on physical currency. The report found that “roughly three in 10 U.S. adults (29 percent) say they make no purchases using cash during a typical week.” In addition, a generational trend shows that “Americans under the age of 50 are more likely than those ages 50 and older to say they don’t really worry much about having cash on hand.”

As American consumers increasingly rely on cashless spending, it is no wonder that the Payment Card Industry Data Security Standard (PCI DSS) arose to develop a set of requirements applying to companies of any size that accept credit card payments.

The PCI DSS requirements now mandate multifactor authentication (MFA) for access to the cardholder data environment for all non-console access, and it recommends the use of MFA for remote access to customer networks.

These requirements bring up a common argument: replacing traditional password-based implementations is expensive, and the integration effort is too complex to accommodate.

Regardless of complexity, password-based credentials need to be replaced so businesses can adhere to and meet PCI requirements. In today’s web-based application environments, it is imperative that strong authentication requirements are met in an effort to protect businesses and customers alike. 

Satisfying Credential Authentication Compliance

The Payment Card Industry Security Standards Council (PCI SSC) has identified a three-step process to maximize the security of cardholder data. They recommend to continuously monitor and enforce the use of controls specified in the PCI DSS and suggest that organizers approach this as a process and not a one-time (or even just annual) project. The continuous process recommended is:

• Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing and analyzing them for vulnerabilities.
• Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
• Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

Ultimately, the council will not enforce a specific company’s compliance to its standards. However, individual payment brands or acquiring banks will take these standards very seriously and potentially revoke an organization’s ability to execute credit card transactions. For some organizations, this failure to meet compliance can cost thousands to millions. This means that businesses will need an immutable way to identify the credentials of credit card administrators, along with their online customers. The financial institutions both large and small that are supporting core banking vendors and other players in the ecosystem need to adopt modern solutions that enable context-aware, risk-based authentication. These solutions should go beyond the old binary authentication solutions, including the MFA solutions employed today.

PCI DSS 3.2.1 Requirement 8.3

Since its early beginnings, PCI standards have mandated strong authentication requirements, initially as two-factor authentication. More recently, PCI standards explicitly request MFA. The acceptable methods of authentication continue to be:

• Something you know, such as a password or passphrase
• Something you have, such as a token device or smartcard and
• Something you are, such as biometric credentials.

The PCI DSS 3.2.1 requirement 8.3 mandates MFA for access to the cardholder data environment (CDE) for all non-console access. It also recommends the use of MFA for all remote access to the customer networks.

PCI MFA Supplement

The PCI SSC released an information supplement on February 1, 2017 to address MFA and help secure remote user access.

The new supplement does not create any new requirements, but instead provides further guidance to help people understand the underlying principles of security so they can go the extra mile to truly protect their network. The overall security goal is clean, multifactor authentication into a critical network, from anywhere outside of that network.

The supplement also does a great job of getting down to the details of MFA by defining the terms and comparing authentication principles. It clears up some previous points of confusion, like what is really meant by “independence of factors,” “multistep” and “multifactor.”

A way of simplifying compliance and minimizing risk is to isolate the CDE from the company’s non-CDE environment. There are several ways companies can achieve this and pass an audit: namely physical isolation, logical isolation or compensatory controls.

Since access to the CDE is required as part of business as usual, it may (depending largely on the architecture of each environment) mean that organizations will need to have two separate sets of application gateways: one for CDE processing and another for non-CDE processing. It will also mean that the transactions and authentications that are tied to CDE will need to be processed in a different way (e.g., using a different application than the ones used for non-CDE).

In addition, data coming from the CDE should be aligned with PCI requirements. Finally, if the application gateway is being used to provide access to CDE, then access to the gateway must use MFA to identify the user.

Authentication for PCI Compliance

It should be noted that PCI DSS compliance is not a “nice to have” feature. For any retailer looking to execute credit card transactions, it is a “need to have” feature that protects consumers.

The PCI SSC says that if a company intends to accept card payment and store, process and transmit cardholder data, the company needs to host consumer data securely with a PCI-compliant hosting provider or meet very specific requirements to remain in compliance and avoid costly penalties. As cybercriminals figure out more effective ways to steal credentials, businesses should operate under the assumption that credentials have already been compromised. They should be striving to protect payment card information via stronger authentication requirements. Passwords have been proven to be insecure, even with the addition of MFA. To go a step beyond PCI compliance, retailers and financial institutions should consider alternate authentication methods through artificial intelligence modelling language (AIML) technology, which will enable frictionless authentication, prevent credential stuffing and dramatically reduce the likelihood of fraud.