PCI DSS v4.0: New MFA Requirements

At a glance

• Main takeaway: Multi-factor authentication will now be mandatory under the new PCI DSS v4.0 standard for all parties who have access to the CDE regardless of access level or location.
• Impact on your business: Every organization is in a different phase on its security and compliance journey, however, if you haven’t started your implementation the new requirements may feel expensive and burdensome.
• Next steps: Aprio’s Information Assurance Services team can perform a readiness assessment to help you take the first step in becoming PCI DSS v4.0 compliant.  

Are you ready to learn more? Schedule a conversation with our team.

The full story:

PCI has closed the loop with multi-factor authentication (MFA) in PCI DSS v4.0. Numerous adjustments and additions have been introduced to accommodate the evolving technological landscape, enhance clarity and reinforce objectives. MFA has been on the best practice list for some time and will now be mandatory in the updated standard.

In essence, the new standard mandates the implementation of MFA moving forward for all parties who have access to the CDE regardless of access level or location.

This article provides an analysis of the perspective presented by the PCI Security Standards Council (SSC) concerning valid MFA, juxtaposing the requisites outlined in v3.2.1 with the expanded and revised stipulations of v4.0.

Defining Multi-Factor Authentication

Before we dive in, we should define MFA. The PCI SSC published its opinion on what constitutes MFA back in 2017 and is generally held across the information security industry. MFA consists of three approved factors, of which two or more must be integrated into your solution. These include:

• Something you know: This encompasses usernames, passwords, passphrases, PINs, or combinations thereof.
• Something you have: Typically, this pertains to items such as smart cards, physical or logical security tokens, or one-time passwords (OTP) generated by smartphone apps. These elements are complemented by cryptographic components, such as certificates or keys stored on the device.
• Something you are: This encompasses biometric data like fingerprints, retina scans, palm prints, iris scans, or other unique individual attributes.

For your solution to qualify for use as part of PCI compliance, each of these factors must remain independent, ensuring that the compromise of one factor does not jeopardize the confidentiality or integrity of the others.

A common example of MFA involves utilizing a smartphone to generate a one-time passcode (OTP) or time-based token (TBT), which is then combined with a username and password for accessing a SaaS application. In the event the username and password are compromised, unauthorized access to the solution is averted unless the attacker also possesses the OTP or TBT.

Multi-Factor Authentication Differences Between PCI DSS v3.2.1 and v4.0

MFA in PCI DSS v3.2.1:

Historically, Requirement 8.2 of PCI DSS v3.2.1 only mandated MFA in two scenarios:

• Remote network access originating from outside the network, for example, via VPN.
• For all non-console administrative access to the cardholder data environment (CDE).

However, as previously mentioned, these requirements are expanding.

Revisions to MFA within PCI DSS v4.0:

Version 4.0 of PCI DSS maintains the two requirements while introducing significant changes. Here’s a quick breakdown of all the MFA related requirements, including the new additions:

• Requirement 8.4.1: MFA is required for all non-console access by administrative personnel.
• Requirement 8.4.2: MFA is extended for all access into the CDE and must be required on every instance of access.
  • Note: This extends MFA beyond non-console access and to all users including vendors and non-administrators. It does not apply to system accounts for automated functions or user accounts on point-of-sale terminals.
• Requirement 8.3.2: MFA must be implemented for all remote network access originating from outside the entity’s network that could impact the CDE (including vendors/third-party access).
• Requirement 8.5.1: MFA solutions must not be susceptible to replay attacks, cannot be bypassed by any user including an administrator (unless expressly documented) and PCI has now solidified that two different MFA authentication factors must be used.

Note, that PCI has deemed these new requirements a best practice until March 31, 2025. After that, these requirements become mandatory.

Given the firm scope definitions and the notable expansion of MFA requirements over v3.2.1, it is imperative to complete a v4.0 readiness assessment of prior MFA configurations and access privileges to ensure compliance with this updated mandate.

Guidance on Configuring MFA to Prevent Misuse and Complying with Requirement 8.5 of PCI DSS v4.0 

PCI DSS v4.0’s newly introduced Requirement 8.5, requires that all MFA systems enabling CDE access must be configured to prevent misuse. This directive aims to address the most common weaknesses, vulnerabilities and potential misconfigurations within MFA solutions. PCI DSS will require your solution to be scrutinized based on four key characteristics:

1. Immunity to Replay Attacks: Your MFA solution must prevent replay attacks, wherein an attacker intercepts and redirects a valid user’s message to a legitimate target, thereby gaining unauthorized access.
2. Not Permit Bypass of the MFA: Requirement 8.5 necessitates that your MFA system must not permit bypassing the second authentication factor. The risk of common attack methods, such as installing malicious applications, intercepting SMS messages, or exploiting session reuse, must be mitigated.
3. Enforce Use of Independent Factors: PCI addresses a prior issue where one might interpret PCI DSS as allowing an entity to employ two different passwords or possession factors as MFA. Requirement 8.5 resolves this issue by mandating the use of at least two independent factors for authentication.
4. All Authentication Factors Must Pass: Your MFA solution must prevent access unless all requisite authentication factors are correctly provided.

What Is Your Plan for Transitioning to PCI DSS v4.0?

Every organization is in a different phase in its security and compliance journey. For some organizations who have implemented world-class MFA solutions years ago, the new MFA requirements in PCI DSS v4.0 may feel like a long time coming. Still, other organizations may see these new requirements as both expensive and burdensome to implement.

It is important for all entities subject to PCI DSS v4.0 to complete a readiness assessment as soon as possible. In 2023, Aprio took the bold steps to convert 100% of our clients to the PCI DSS v4.0 standard and have integrated a readiness assessment into every project, providing timely feedback to our clients and helping them prepare for the March 31, 2025 deadline when all v4.0 requirements become mandatory.

If your current QSA isn’t helping you prepare for PCI DSS v4.0, it may be time to find a new partner for PCI compliance. Contact Aprio’s Information Assurance Services team today to receive a free copy of our PCI DSS v4.0 Implementation Fieldguide and PCI By the Numbers guides.

Related Resources/Assets/Aprio.com articles/pages

What is Information Assurance?

SOC 2 vs. ISO 27001: Which One is Right for Your Company?

About Aprio’s Information Assurance Services

Are you ready to learn more? Schedule a conversation with our team.