“Merchants and financial institutions understand and implement standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data.”
“Vendors understand and implement standards for creating secure payment solutions.”
The help that this standard provides comes in the form of providing merchants, institutions, and vendors with a starting point or baseline on which to build solid security practices.
However, as the threat landscape changes and attackers grow more sophisticated in their techniques and methodologies, standards need to evolve if they are to provide even a minimal level of guidance.
Evolution Gives a Standard Teeth
To many security professionals, the ability to evolve and change is the sign of a good standard. It not only shows that the drivers of the standard are keeping up with new threats and attack vectors, but also that the standard is leveraging new technologies in order to help organizations prioritize efforts and push themselves into more mature risk management practices, if for no other reason than striving to keep meeting compliance regulations.
PCI-DSS has recently undergone such an evolution by releasing version 3.2, and one significant change to this standard is that the use of multi-factor authentication (MFA) is required for all non-console administrative access and all remote access in the cardholder data environment. According to Troy Leach, CTO of the Security Standards Council, “These changes… ensure organizations view security as an organic process that evolves with the company as an ongoing effort and not a yearly assessment to correct behavior.” Previous versions of PCI-DSS, including 3.1, only required MFA for remote access to card data.
MFA and Beyond PCI Compliance
MFA is the concept of requiring a user to provide two or more forms of self-identification for authorization to access a system. Typically, these are:
What you know—like a password or passphrase
What you have—like a token, a smart card, or access to a mobile device
What you are—like your fingerprint, retina, or other biometric verification
With so many user credentials being compromised, it is easy to see why standards require MFA for those handling payment card data. Yet, it also makes sense as a way to protect other types of sensitive data, such as health records, customer information, and intellectual property. Likewise, organizations should consider the benefits of implementing MFA across all users and systems and not just privileged accounts and high-value systems.
Your identity and access management (IAM) solution most likely offers support for MFA; however, there is a difference between what a modern solution can offer versus what is available through a legacy IAM solution.
For starters, legacy systems offer limited support for MFA, if they support this technology at all, and support can be expensive. These costs not only come from the purchase of the IAM, but also from the additional technologies required. Purpose-built biometric hardware accessories can be expensive, as are tokens. Tokens and smart cards are also easily lost. A modern IAM makes MFA much easier and more cost-efficient by leveraging mobile devices. Smartphones are a cost-effective way to deploy fingerprint verification, push notifications, and SMS notifications.
A modern solution also has the intelligence to use contextual information, such as the location, time, or device you try to authenticate from, to determine if MFA is required to validate a user’s identity. If something seems to be out of context (maybe you logged in from a foreign country or late at night), your IAM can require MFA before access is granted.
With MFA being a requirement of the latest version of PCI-DSS, it makes sense to evaluate your IAM to see if it is up to the challenge.