PCI Requirement 8.3.2 – Incorporate Multi-Factor Authentication for all Remote Network Access

by Randy Bartels / December 20, 2022

Remote Network Access and Multi-Factor Authentication PCI Requirement 8.3.2 requires, “Incorporate multi-factor authentication for all remote network access originating from outside the entity’s network.” This applies to all personnel, general users, administrators, and even vendors accessing for support or maintenance - anyone coming into your environment using remote network access must use multi-factor authentication. As PCI Requirement 8.2 describes, the three accepted forms of multi-factor authentication that comply with PCI…

PCI Requirement 8.3.1 – Incorporate Multi-Factor Authentication for All Non-Console Access into CDE for Personnel with Administrative Access

by Randy Bartels / December 20, 2022

Multi-Factor Authentication and Administrative Access PCI Requirement 8.3.1 states, “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.” This requirement, new to PCI DSS v3.2, applies to all personnel with administrative, non-console access to the cardholder data environment, but to application or system accounts performing automated functions. When someone with administrative privileges is attacked, it can be detrimental to your organization. So, whether you’re…

PCI Requirement 8.3 – Secure All Individual Non-Console Administrative Access and All Remote Access into CDE Using Multi-Factor Authentication

by Randy Bartels / December 20, 2022

 What is Multi-Factor Authentication? PCI Requirement 8.3 states, “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.” But what is multi-factor authentication? According to the PCI DSS, multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. This provides additional security and assurance that the person attempting to gain access is who they…

PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use

by Randy Bartels / December 20, 2022

 Unique Value for First-Time Use and Resets PCI Requirement 8.2.6 states, “Set passwords/passphrases for first-time use and upon reset to a unique value for each and change immediately after first use.” There are two elements to PCI Requirement 8.2.6 compliance. First, whenever a new account is being set up or reset, it needs to be given a unique value. Why? The PCI DSS explains, “If the same password is…

PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used

by Randy Bartels / December 20, 2022

Effectiveness of Changing Passwords PCI Requirement 8.2.5 works in conjunction with PCI Requirement 8.2.4 to create secure passwords. Because PCI Requirement 8.2.4 requires passwords/passphrases to be changed every 90 days, PCI Requirement 8.2.5 dictates that new passwords/passphrases can’t be the same as any of the last four passwords/passphrases used. This prevents users from trying to alternate between the same few passwords or not reset their password at all by using…