Multi-Factor Authentication: Preparing Your Business for PCI 3.2
On February 1, 2018, multi-factor authentication will officially be a requirement under the PCI DSS 3.2 standard which has been in effect since April 2016 for online businesses. This change requires multi-factor authentication for any users accessing administrative interfaces on systems that take payments online. Multi-factor authentication is a method to secure your site that goes beyond a single password. Users must choose at least two of the following factors to authenticate their identity.
- Something you know: A password or passphrase.
- Something you have: A token or smartcard. In most instances, this is your cell phone. Upon sign in, you are prompted for an additional code that is sent via an SMS or service that acts as this token.
- Something you are: A biometric method, including fingerprint readers, iris scanners, etc.
Today, the most common and easily accessible factors are the something you know and have. We all have passwords, and we all carry phones. As biometric technologies continue to become viable, however, businesses need to prepare to acknowledge and accept a broader combination of authentication sources.
PCI DSS 3.2 stipulates that all remote and local users that access administrative interfaces on systems that accept payments online use multi-factor authentication. This means that the new requirement will affect internal team members considerably more than any other security requirement to date.
Limiting the amount of time and resources spent on multi-factor training is of utmost importance, and lends itself to some good old-fashioned admin account maintenance. The following actions will make your transition easier.
- Clean up any outdated accounts. Old team members, third party accounts, etc. You should be doing this every 90 days.
- Limit user access. If you limit the number of users that can access sensitive data, you reduce the number of users that will be required to utilize muti-factor authentication. This is also an expectation for the principle of Least Privilege within the PCI DSS standard.
- Identify who will require access on site, and who (if any) require remote access.
If you are just starting this process, it can seem daunting, especially with February 1 fast approaching. Here are some low-effort ways to limit unauthorized access during the compliance process.
- If you have not already done so, you should update your administrative URL to something other than the default. This helps limit unauthorized users from easily discovering your administrative interface and attacks that target default settings.
- Whitelist the administrative interfaces URL so it is only accessible from authorized IP address ranges. If users work from home and have dynamic IP addresses a VPN connection can be used in many cases to map their source address into a range that can be whitelisted. This additional step is critical and will limit the exposure of the admin panel to sources outside the organization.
Please contact LYONSCG for more information about the multi-factor solutions we have available for you to meet these requirements.