Site icon

Timeline for PCI DSS 4.0: The Eighth Requirement and Strong Authentication

pci dss 4.0 featured

Moving through the requirements of PCI DSS 4.0, we’re well over halfway through. During this journey, we’ve touched on cryptography, security and perimeter management, network security, authorization, and other critical security considerations. Now, we come up against the authentication and identity management problem with the eighth requirement. 

Authentication isn’t simply about passwords and CAPTCHAs, however. Regarding payment processing and protecting cardholder data, retailers and processors are expected to implement strong and effective authentication at the point of purchase and in any system that holds PAN information. 

 

What Is PCI DSS 4.0 Authentication?

Under PCI DSS 4.0, authentication is defined as a process with two principles–first, that the organization can establish and protect identities for individuals or processes (such as applications) within their system, and second, that they have reliable mechanisms by which that user or process can prove their identity. 

For anyone familiar with authentication (and that should be all of us), a few recognizable components and mechanisms play a role in the authentication. Some of these include:

 

What Are the Different Factors of Multi-Factor Authentication?

The eighth requirement of PCI DSS 4.0 will repeatedly refer to the implementation of MFA as a necessity for compliance under certain circumstances. An effective authentication solution must include at least two forms of credentials that span two distinct “factors.” These factors include:

What Is the Eighth Requirement for PCI DSS 4.0?

The eighth requirement focuses on proper authentication for systems containing primary account numbers (PAN) and other sensitive cardholder information. Across the different subsections of the requirement, common themes and practices will include:

 

8.1 – Processes and Mechanisms for Identifying and Authenticating Users

 

8.2 – User Identification Administration 

 

8.3 – Strong Authentication

 

8.4 – Multi-Factor Authentication Is Implemented in CDEs

 

8.5 – Multi-Factor Authentication Systems Are Configured to Prevent Misuse

 

8.6 – Account and Authentication Use Are Strictly Managed

 

Align Your Authentication Standards with PCI DSS 4.0 with Lazarus Alliance

Authentication is a critical part of every security function, and PCI DSS has some relatively common approaches to authentication. With the onset of PCI DSS 4.0, however, some changes have been intended to boost system security, namely the requirement of MFA for almost every system component containing cardholder data. 

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now. 

 

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form.

[wpforms id=”137574″]

Exit mobile version