What is Multi-Factor Authentication?
PCI Requirement 8.3 states, “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.” But what is multi-factor authentication? According to the PCI DSS, multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. This provides additional security and assurance that the person attempting to gain access is who they claim to be.
PCI Requirement 8.2 describes three forms of multi-factor authentication that comply with PCI Requirement 8.3: something you know, something you have, and something you are. Something you know is something like as a password or passphrase. How many times have you entered a PIN after swiping your debit card this week? Your PIN is something you know. Something you have would be a token device or smart card. Has a website ever texted your phone a one-time password in order to gain access? That one-time password is something you have. Something you are is something like a biometric. Do you use facial recognition or a scan of your fingerprint to unlock your smartphone? Your fingerprint is something you are. The PCI DSS explains, “These authentication methods, when used in addition to unique IDs, help protect users’ IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used).”
It’s important to note that, “Multi-factor authentication is not required at both the system-level and application-level for a particular system component. Multi-factor authentication can be performed either upon authentication to the particular network or to the system component.”
PCI Requirement 8.3 has several sub-requirements to it, but effectively, it states that if you’re coming into the cardholder data environment from remote access or an untrusted environment, you need to use multi-factor authentication.