Does your organization process payments by credit card? If so, you need to be aware of a new cybersecurity requirement that must be in place to protect cardholder data – Multi-Factor Authentication or MFA.
What is MFA? Simply put, it is a combination of things (factors) such as something you know (password or passphrase), something you have (a hardware token or smart card) and something you are (biometric).
The Payment Card Industry Data Security Standard (PCI DSS) already requires that any untrusted remote access into the Cardholder Data Environment (CDE) must include MFA. Version 3.2 of the Standard requires MFA for personnel with non-console administrative access to the Cardholder Data Enviroment, even when access from within the trusted network.
While organizations have until January 2018 to implement MFA, there are important considerations even now. First, you need to identify your current administrator roles and access methods into the CDE to know how you will be impacted by this requirement. Since MFA can be performed at the network or system level, you may want to consolidate administration points into the CDE, such as using a jump server. Consolidation will also make it easier to manage and monitor CDE access as required by PCI DSS. You may also find ways to reduce the scope of your CDE, which can save you time and money by decreasing the number of devices that must be scanned, tested, and monitored under PCI DSS.
Implementing MFA prior to 2018 will better protect your organization and your customers. When hackers gain access to a network, they look for any device where they can gain administrative rights to move throughout the network and find and steal data that has value on the black market, cardholder data being a prime example. MFA provides protection by requiring more than admin credentials for that access, which is key as credentials can be easily cracked or stolen by hacking tools, improper use or sharing by staff, or social engineering.
Our PCI Qualified Security Assessors (QSAs) can help if you have any questions about MFA or other requirements of PCI and how they apply to your organization.