Wednesday, January 27, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Businesses Must Go Beyond Multifactor Authentication to Achieve PCI Compliance

Stronger Authentication Requirements are Essential as Cashless Spending Increases

by Shahrokh Shahidzadeh
April 12, 2019
in Compliance, Featured
credit card chip as padlock

As consumers increasingly rely on cashless spending, the PCI SSC has identified a process to secure cardholder data. Acceptto CEO Shahrokh Shahidzadeh discusses why it’s time to replace password-based credentials.

According to a recent study by the PEW Research Center, consumers in the U.S. are relying less on physical currency. The report found that “roughly three in 10 U.S. adults (29 percent) say they make no purchases using cash during a typical week.” In addition, a generational trend shows that “Americans under the age of 50 are more likely than those ages 50 and older to say they don’t really worry much about having cash on hand.”

As American consumers increasingly rely on cashless spending, it is no wonder that the Payment Card Industry Data Security Standard (PCI DSS) arose to develop a set of requirements applying to companies of any size that accept credit card payments.

The PCI DSS requirements now mandate multifactor authentication (MFA) for access to the cardholder data environment for all non-console access, and it recommends the use of MFA for remote access to customer networks.

These requirements bring up a common argument: replacing traditional password-based implementations is expensive, and the integration effort is too complex to accommodate.

Regardless of complexity, password-based credentials need to be replaced so businesses can adhere to and meet PCI requirements. In today’s web-based application environments, it is imperative that strong authentication requirements are met in an effort to protect businesses and customers alike. 

Satisfying Credential Authentication Compliance

The Payment Card Industry Security Standards Council (PCI SSC) has identified a three-step process to maximize the security of cardholder data. They recommend to continuously monitor and enforce the use of controls specified in the PCI DSS and suggest that organizers approach this as a process and not a one-time (or even just annual) project. The continuous process recommended is:

  • Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing and analyzing them for vulnerabilities.
  • Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
  • Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

Ultimately, the council will not enforce a specific company’s compliance to its standards. However, individual payment brands or acquiring banks will take these standards very seriously and potentially revoke an organization’s ability to execute credit card transactions. For some organizations, this failure to meet compliance can cost thousands to millions. This means that businesses will need an immutable way to identify the credentials of credit card administrators, along with their online customers. The financial institutions both large and small that are supporting core banking vendors and other players in the ecosystem need to adopt modern solutions that enable context-aware, risk-based authentication. These solutions should go beyond the old binary authentication solutions, including the MFA solutions employed today.

PCI DSS 3.2.1 Requirement 8.3

Since its early beginnings, PCI standards have mandated strong authentication requirements, initially as two-factor authentication. More recently, PCI standards explicitly request MFA. The acceptable methods of authentication continue to be:

  • Something you know, such as a password or passphrase
  • Something you have, such as a token device or smartcard and
  • Something you are, such as biometric credentials.

The PCI DSS 3.2.1 requirement 8.3 mandates MFA for access to the cardholder data environment (CDE) for all non-console access. It also recommends the use of MFA for all remote access to the customer networks.

PCI MFA Supplement

The PCI SSC released an information supplement on February 1, 2017 to address MFA and help secure remote user access.

The new supplement does not create any new requirements, but instead provides further guidance to help people understand the underlying principles of security so they can go the extra mile to truly protect their network. The overall security goal is clean, multifactor authentication into a critical network, from anywhere outside of that network.

The supplement also does a great job of getting down to the details of MFA by defining the terms and comparing authentication principles. It clears up some previous points of confusion, like what is really meant by “independence of factors,” “multistep” and “multifactor.”

A way of simplifying compliance and minimizing risk is to isolate the CDE from the company’s non-CDE environment. There are several ways companies can achieve this and pass an audit: namely physical isolation, logical isolation or compensatory controls.

Since access to the CDE is required as part of business as usual, it may (depending largely on the architecture of each environment) mean that organizations will need to have two separate sets of application gateways: one for CDE processing and another for non-CDE processing. It will also mean that the transactions and authentications that are tied to CDE will need to be processed in a different way (e.g., using a different application than the ones used for non-CDE).

In addition, data coming from the CDE should be aligned with PCI requirements. Finally, if the application gateway is being used to provide access to CDE, then access to the gateway must use MFA to identify the user.

Authentication for PCI Compliance

It should be noted that PCI DSS compliance is not a “nice to have” feature. For any retailer looking to execute credit card transactions, it is a “need to have” feature that protects consumers.

The PCI SSC says that if a company intends to accept card payment and store, process and transmit cardholder data, the company needs to host consumer data securely with a PCI-compliant hosting provider or meet very specific requirements to remain in compliance and avoid costly penalties. As cybercriminals figure out more effective ways to steal credentials, businesses should operate under the assumption that credentials have already been compromised. They should be striving to protect payment card information via stronger authentication requirements. Passwords have been proven to be insecure, even with the addition of MFA. To go a step beyond PCI compliance, retailers and financial institutions should consider alternate authentication methods through artificial intelligence modelling language (AIML) technology, which will enable frictionless authentication, prevent credential stuffing and dramatically reduce the likelihood of fraud.


Tags: PCI DSS
Previous Post

The Bard and Compliance: Shakespeare’s Problem Plays

Next Post

How Organizations Can Manage Regulatory Change In an Era of Hyper-Regulatory Scrutiny

Shahrokh Shahidzadeh

Shahrokh Shahidzadeh is the CEO of Acceptto, where he leads a team of technologists driving a paradigm shift in cybersecurity through Acceptto’s Cognitive Continuous Authentication TM technology. Shahrokh is a seasoned technologist and leader with 27 years of contribution to modern computer architecture, device identity, platform trust elevation, large IoT initiatives and Ambient Intelligence Research (AIR) with more than 20 issued and pending patents. Prior to Acceptto, Shahrokh was a senior principal technologist contributing to Intel Corporation for 25 years in a variety of leadership positions where he architected and led multiple billion-dollar product initiatives.

Related Posts

folder of Chinese apps blacklisted in the US (QQ, Alipay, CamScanner, WeChat, SHAREit, WPS Office)

EO Sets in Motion Ban on Transactions with Chinese App Developers and Owners

January 27, 2021
invisible man in black on neutral background

The Curious Absence of Corporate Monitors

January 27, 2021
businessmen in miniature studying volatile stock market

The Risk of Undervaluing Culture in a Volatile Market

January 27, 2021
digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
Next Post
closeup of microscope lenses

How Organizations Can Manage Regulatory Change In an Era of Hyper-Regulatory Scrutiny

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights