Multi-Factor Authentication and Administrative Access
PCI Requirement 8.3.1 states, “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.” This requirement, new to PCI DSS v3.2, applies to all personnel with administrative, non-console access to the cardholder data environment, but to application or system accounts performing automated functions. When someone with administrative privileges is attacked, it can be detrimental to your organization. So, whether you’re coming from a trusted or untrusted environment, if you’re going to be making administrative changes from non-console access, you must use multi-factor authentication.
PCI Requirement 8.2 describes three forms of multi-factor authentication that comply with PCI Requirement 8.3.1: something you know, something you have, and something you are. Something you know is something like as a password or passphrase, something you have would be a token device or smart card, and something you are is something like a biometric.
PCI Requirement 8.3.1 is a new requirement that was established for PCI DSS v3.2. This requirement requires that any time your organization accesses your cardholder data environment for administrative purposes, you use multi-factor authentication to do so. Previously, multi-factor authentication was only required when you would originate your traffic from a remote or untrusted environment. This new requirement states that whether you’re coming from an untrusted environment or your own corporate environment, if you’re going to be making administrative changes from non-console access, you must use multi-factor authentication.