PCI DSS 3.2 Effective Feb. 1st
Just a reminder that the update for PCI DSS 3.2 from last year included a new requirement regarding multi-factor authentication which goes into effect on Feb 1st that includes the following requirement “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.”
PCI Cardholder Data Environment and Multi-Factor Authentication
The rule affects the way an administrator user logs in to a cardholder data environment system which now requires a secondary authentication for access. When an administration logs in to a computer within the CDE or that can access the CDE, a second one-time password or device must be used. The Information Supplement provided by the PCI Council has the following requirements for the MFA deployed:
The overall authentication process for MFA requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
- Something you know, such as a password or passphrase. This method involves verification of information that a user provides, such as a password/passphrase, PIN, or the answers to secret questions (challenge-response).
- Something you have, such as a token device or smartcard. This method involves verification of a specific item a user has in their possession, such as a physical or logical security token, a one-time password (OTP) token, a key fob, an employee access card, or a phone’s SIM card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app or a cryptographic material (i.e., certificate or a key) residing on the device.
- Something you are, such as a biometric. This method involves verification of characteristics inherent to the individual, such as via retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, and even earlobe geometry.
Using SMS for Authentication and One Time Passwords
PCI follows closely with more accepted frameworks and as such has defined the use of Short Message Service (SMS) will not be used in out of band authentication or by receiving a text message on a cell phone to receive a one-time password for use as a second authentication factor. As such, several solutions utilize this type of authentication and cannot be used to connect an administrator user to a CDE when connecting. The information from PCI is the following:
“PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. While NIST currently permits the use of SMS, they have advised that out-of-band authentication using SMS or voice has been deprecated and may be removed from future releases of their publication. “
For those customers who must be compliant with these standards this means that now not only must they require MFA for remote access, but now they must also require it for internal admin access to the CDE. For many, this is not a trivial change as those organizations do not have the means to even trigger an MFA prompt into this environment readily available. SLAIT suggests that any organization who thinks it might be affected by this change should speak to one of our security specialists from the SLAIT team to determine what potential changes are required for them to be compliant.