Tackling the PCI’s New Authentication Regulations

Shimrit Tzur-David | May 7, 2018

The latest standards governing the world of digital payments have come into effect.

On 1 February 2018, the new Data Security Standards of the Payment Card Industry’s (PCI) Council, or PCI DSS, came into effect. These new standards upgraded many protocols that used to be merely “best practices”, to full requirements.

The updated PCI DSS is a significant shift from earlier versions of these standards. For many companies that base their operations on digital payments, achieving compliance with PCI’s new rules will mean, more than anything else, bringing their identity security protocols up to date.

Getting with the Times

The PCI DSS is often called the most “mature” of data standards.

This should come as no surprise since they’ve been around for quite a while and have had ample time to evolve. Since the original PCI DSS was released in 2004, the standards have seen no fewer than seven revisions.

There’s a strong element of self interest that drives the development of PCI DSS. The PCI itself was founded by the big names in credit cards like American Express and Mastercard. These companies wanted high-level, universally applied criterion that would secure their clients as well as their own assets. Thus any updates to PCI DSS reflect real changes in the digital security landscape, and communicate the best strategies for how companies should address emerging challenges and threats.

Multi-Factor Authentication Necessity

The updates to PCI DSS that have arguably gotten the most attention within the industry are the changes relating to authentication standards. Requirement 8.3.1 and 8.3.2 mandate multi-factor authentication (MFA) for all “administrative” or “remote” access to cardholder data environments, or CDE systems. These new rules were designed to make sure that users with the ability to make changes to CDE, and hence to potentially weaken security controls or introduce vulnerabilities, are more strongly authenticated. There are two points often overlooked when it comes to the new PCI standards that are worth clarifying:

  • Requirement 8.3.1 and 8.3.2 relate to two distinct aspects of authentication, 8.3.1 regulating administrative access and 8.3.2 referring to remote For an administrator that is on the internal network, requirement 8.3.1 means they will need to use MFA to gain administrative access to a CDE system. If that same administrator is working off-site, 8.3.2 means that they will have to use MFA to get connected to the internal network and then use MFA again to take any administrative actions in a CDE system or device.
  • Not all two-step authentication systems qualify for the new MFA requirements. The PCI DSS is very clear in defining MFA as a system incorporating two or more separate technologies. These technologies are broken down into three general categories: (a) something you know, such as a password or passphrase (b) something you have, such as a token device or smart card, or (c) something you are, such as a biometric (fingerprint, eye scan etc). This definition means the common practice of applying the same technology twice in an authentication scheme, such as requiring a password and username, no longer qualifies as MFA.

With these points in mind, managers will have to consider how much of a change the PCI standards will mean for their operations.

Taking on the Threat

The rationale behind bolstering authentication in the credit card industry was simple: minimize all of the breaches that have occurred due to theft of administrators’ identities.

For over a decade, governments and law enforcement the world over have been warning of the growing trend of identity theft scammers shifting their focus to financial sector personnel. The damage inflicted to businesses due to individually targeted scamming, commonly known as spear phishing, has increased dramatically over the past several years. This increase in turn has highlighted the weaknesses of single-factor systems in protecting identities, as all technologies, taken on individually, can be overcome.

Secret Double Octopus has developed the world’s only keyless, multi-factor authentication technology to protect identities and meet PCI’s updated standards. The Octopus Authenticator addresses all the criterion of the new PCI DSS by incorporating separate and distinct factors into its MFA scheme. Furthermore, Secret Double Octopus technology is fully adaptable for users to implement both onsite, and while operating remotely.

Powered by Secret Sharing algorithms, Secret Double Octopus’s tools circumvents all of the security vulnerabilities present in other multi-factor schemes, giving users the most secure and user-friendly in authentication.