Skip to content

6 Things to Know About Multi-Factor Authentication and PCI Compliance


Recently implemented changes to the PCI Data Security Standard (DSS) require companies to use multi-factor authentication (MFA) to protect against breaches that could compromise payment card data.

As of Feb. 1, organizations must meet the MFA requirements of PCI DSS v3.2 to process payments. You will be subject to these requirements when undergoing PCI compliance audit.

Under the new MFA requirements, a user must successfully authenticate multiple pieces of information to access the cardholder data environment (CDE) or to remotely access an organization’s networks. This strengthens defenses against attacks aimed at stealing passwords or compromising any other single security mechanism.

New PCI standards specify who must use MFA and how. Knowing the following six things about MFA will help you prepare for your next PCI compliance audit.

1) MFA is mandatory for administrators.

The PCI Security Standards Council (SSC) first released PCI DSS v3.2 in April 2016. MFA was considered a best practice until Jan. 31, 2018, after which it became a sub-requirement under requirement 8.3.

Now, administrators must always use MFA for non-console access to the CDE, per requirement 8.3.1. The PCI SSC defines non-console access as “logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component.” This includes access from within local/internal networks as well as access from external, or remote, networks.

2) Non-administrators also may be required to use MFA.

Under requirement 8.3.2 of the PCI DSS, MFA must be used when remotely accessing networks with access to the CDE. This applies to administrators, non-administrators and third-party users with remote access to your network for support or maintenance.

Previous versions of the PCI DSS only required additional authentication factors when systems within the CDE were accessed remotely, according to a Palo Alto Networks blog post on doing (performing) multi-factor authentication the PCI way. Additionally, MFA is now recommended as a best practice for remote access to any organizational network.

3) Two out of three authentication factors are needed.

You must use at least two of the following three authentication methods permitted under PCI DSS Requirement 8.2.

  • Something you know, such as a security phrase or password
  • Something you have, such as a token device or smartcard
  • Something you are, a biometric such as your fingerprint

You can use additional authentication factors, such as geolocation and time, according to PCI DSS Guidance for Multi-Factor Authentication, but you still must use at least two of the three factors provided.

4) Authentication methods must not be linked.

Users who authenticate with one method cannot automatically gain access to the second authenticator. This is to prevent the compromise of one factor leading to another.

As an example, the PCI DSS explains that if the same login credentials are used to authenticate access to the network as are used for the email account to which a second authentication factor, like a one-time password, is to be sent, then the credentials and one-time password are not considered independent factors.

5) Multi-channel authentication is stronger.

Authenticating through a single channel, like entering login credentials into the same device on which you receive a one-time password, mitigates the effectiveness of MFA, according to guidance from the PCI Security Standards Council (SSC).

The PCI SSC recommends the use of out-of-band (OOB) authentication to enhance the level of assurance for MFA. With OOB, authentication methods are conveyed through different channels so that a user cannot use a compromised device to gain access to your networks.

6) All factors must be verified.

Successful authentication by one factor is not enough to maintain PCI compliance under the new MFA requirements. All factors must be verified before access is granted.

The PCI DSS also requires that no prior knowledge of the success or failure of any factor be provided to a user until all factors have been presented. This is to prevent an unauthorized user who successfully authenticates one factor from being able to compromise another factor.

The newest version of the PCI DSS requires the use of MFA to protect companies and consumers from costly data breaches. Knowing these six things will help you maintain PCI compliance by showing regulators that your organization’s security is up-to-date.


SOC for cybersecurity