Remote Network Access and Multi-Factor Authentication
PCI Requirement 8.3.2 requires, “Incorporate multi-factor authentication for all remote network access originating from outside the entity’s network.” This applies to all personnel, general users, administrators, and even vendors accessing for support or maintenance – anyone coming into your environment using remote network access must use multi-factor authentication.
As PCI Requirement 8.2 describes, the three accepted forms of multi-factor authentication that comply with PCI Requirement 8.3.2 include: something you know, something you have, and something you are. Something you know is something like as a password or passphrase, something you have would be a token device, and something you are is something like a biometric.
If a network has proper segmentation and remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi-factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity’s networks.
If you’re originating traffic from a remote or untrusted environment, it’s required that you use multi-factor authentication to do so. The PCI DSS doesn’t really call out what technology you can and cannot use. What it effectively says, though, is that you need to use something you know, something you have, or something you are.
One of the things I would caution you against is NIST’s new guidance around using SMS text messaging for multi-factor authentication. That was deprecated. I wouldn’t be surprised if in the near future the council came out with some guidance on that as well.
Understand that this multi-factor authentication is not just required for you, it’s required for all remote access. If you have a vendor, employees, or administration staff coming into your environment from remote, they’re required to use multi-factor authentication.