Are you ready for PCI DSS 3.2 and multi-factor authentication?

Back to Blog
November 10, 2017
Brian Bowden

 

The PCI DSS 3.2 framework multi-factor authentication (MFA) deadline is rapidly approaching and, not surprisingly, many organizations have been asking how SecureAuth can help them meet the new MFA requirements.  

PCI requirement 8.3.1 states that organizations must incorporate multi-factor authentication for all non-console access into the cardholder data environment (CDE) for personnel with administrative access by January of 2018.  Before getting into how SecureAuth can help maintain PCI compliance, let’s take a summarized look at the PCI guidance around this new MFA requirement:

  • MFA requires at least two of the three methods described in requirement 8.2:  Something you know, Something you have, Something you are
  • Authentication methods should be independent of one another (ie. one authenticator shouldn’t give you access to the second authenticator)
  • Authenticators should be conveyed through different network channels (i.e. out-of-band authentication)
  • All factors in MFA are verified prior the authentication mechanism granting access or providing knowledge of the success or failure of any one authenticator.

In addition to the information provided by the PCI council, the advice many customers are getting from their QSAs (Quality Security Assessor) is to ensure that PCI network servers, routers, and firewalls are protected with MFA per the PCI requirements mentioned above.  This helps to better define the scope of where these authentication changes need to take place.  Although these requirements appear straightforward, determining how to apply them within your environment may not be. 

So how can SecureAuth help?  The solution may differ from one environment to the next but let’s take a look at a couple of examples. 

MFA for Admin Access to Servers

Example 1: Utilize SecureAuth Login for Windows on Admin Jump boxes:  In this example, SecureAuth Login for Windows (formerly SecureAuth Windows Credential Provider) is deployed to the Jump-Box-Servers to enforce multi-factor authentication at the Windows Login.  Once logged in, the administrator can then gain remote access to the PCI systems.  SecureAuth could also protect a VDI environment utilized for admin Jump boxes.

Example 2: Utilize SecureAuth in combination with a privileged session management solution:  In this example, SecureAuth can be integrated with a Privileged Session Management solution such as CyberArk or BeyondTrust.  The Privileged Session Management solution has access to the PCI servers but admins must authenticate through SecureAuth’s adaptive multi-factor authentication first, thus satisfying the PCI MFA requirements outlined above.

MFA for Admin Access to Firewalls and Routers

Example 3:  Utilize SecureAuth RADIUS server to integrate with network appliances:  This one is a little tricky since many devices like firewalls may have been built with MFA in mind for end users (for external VPN, etc.) but not necessarily admin access from the trusted network; however most enterprise network appliances to support RADIUS authentication for remote console access.  SecureAuth offers a robust RADIUS server which can be leveraged to enforce MFA even when the RADIUS client does not support access-challenge (part of the RADIUS protocol that allows the RADIUS server to prompt the RADIUS client for additional information, commonly uses in MFA scenarios).

The example use cases above represent just a few of the ways SecureAuth can help organizations comply with PCI MFA requirements. SecureAuth has several capabilities that go beyond what is required for PCI to provide organizations with the best authentication security such as adaptive threat protection, geo-velocity, identity governance integration and many others. 

Contact us to find out how SecureAuth can help solve your unique PCI use cases. 

 

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact