PCI DSS 4.0: New Multi-Factor Authentication (MFA) Requirements

With the release of PCI DSS version 4.0, the PCI Security Standards Council (SSC) has introduced significant changes and additions to the requirements, particularly in the realm of multi-factor authentication (MFA). In this blog post, we will delve into the key updates and explore how these changes aim to bolster payment security.

Understanding Multi-Factor Authentication:

Before diving into the specifics of PCI DSS 4.0, let's briefly review what constitutes MFA. The SSC defines three acceptable factors for MFA:

  1. Something you know (e.g., username, password, PIN)
  2. Something you have (e.g., smart card, security token, one-time password)
  3. Something you are (e.g., biometric data such as fingerprint, retina scan)

To be considered valid MFA, a solution must incorporate at least two of these independent factors.

PCI DSS 3.2.1 vs. PCI DSS 4.0:

Under PCI DSS 3.2.1, MFA was primarily required for remote network access originating outside the organization's network and for non-console administrative access to the cardholder data environment (CDE). However, PCI DSS 4.0 introduces several significant changes:

  1. MFA will be mandatory for all access to the CDE, not just for administrators.
  2. Users must be challenged with MFA every time they attempt to access the CDE.
  3. MFA will be required for all types of system components, including cloud environments, hosted systems, on-premises applications, network security devices, workstations, servers, and endpoints.
  4. All remote access, including administrative, non-administrative, and third-party/vendor access, must include MFA.

Configuring MFA Under PCI DSS 4.0 Requirement 8.5:

PCI DSS 4.0 introduces a new requirement, 8.5, which mandates the correct configuration of MFA systems granting CDE access to prevent misuse. Organizations must ensure their MFA solutions meet the following criteria:

  • Resistance to replay attacks: The MFA solution must be designed to prevent attackers from intercepting and reusing valid authentication messages.
  • No bypass allowed: The MFA solution must not allow users to bypass the authentication process unless specific exceptions are granted by management.
  • Use of at least two different factors: The MFA solution must utilize at least two independent factors from the three categories mentioned earlier.
  • No access granted without successful authentication: The MFA solution must deny access if any of the required authentication factors fail.

The introduction of PCI DSS 4.0 marks a significant step forward in payment security, particularly in the area of multi-factor authentication. By expanding the scope of MFA requirements and introducing stricter configuration guidelines, the PCI SSC aims to fortify the defenses against unauthorized access to sensitive cardholder data.

Organizations must diligently assess their current MFA implementations, identify gaps, and make necessary adjustments to comply with the new standard. By embracing these changes and prioritizing robust MFA practices, businesses can enhance their security posture and protect their customers' trust in the digital payment ecosystem.


Scroll to Top