In late April, the Payment Card Industry (PCI) Security Standards Council announced an update of its Data Security Standard (DSS). Included among the changes were extended requirements for multifactor authentication.
Meeting PCI DSS compliance standards is a requirement for any organization that stores and accesses credit card data on behalf of its customers. Compliance with this industry standard not only enables organizations to avoid hefty fines but – more importantly – reduce the risk of a devastating data breach. With the knowledge of just how valuable credit card data is for cybercriminals, maintaining privacy is crucial.
The latest update of PCI DSS – version 3.2 – mandates that anyone accessing cardholder information must use multiple methods of authenticating identities. Although multifactor authentication for remote access to a cardholder data environment has been a part of the PCI DSS from some time, this update expands the requirement to local access as well.
According to PCI Security Standards Council CTO Troy Leach, “a password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.” We’re with you, Troy Leach.
In addition to expanded requirements around user authentication, the revised PCI DSS includes standards for service provider companies that aggregate large amounts of payments data. These new regulations are intended to help organizations carry out security policies and meet best practices, such as performing quarterly reviews and conducting regular penetration tests.
Compliance: A Good Start
The use of compromised credentials is on the rise. In fact, according to the 2016 installment of the Verizon Data Breach Investigations Report, 63 percent of data breaches made use of either weak, default or stolen passwords – up from 51 percent in last year’s report.
Knowing this, how can you be sure that the person logging in to your network is who they say they are based on only a username and password? The truth is, you can’t – especially when, for example, more than one in three Americans remember their passwords by writing them down. In order to determine if the user logging in to your network is an approved individual, you need to confirm their identity through another form of authentication. These methods may include SMS, telephony, and email one-time passwords (OTPs) to push notifications and USB keys, just to name a few.
With this in mind, it’s encouraging that the PCI Security Standards Council has taken steps to ensure all organizations under its regulatory purview must implement or extend multifactor authentication services. And while compliance does not render an organization impervious to cyberattack, implementing stronger identity and access controls can greatly reduce the risk of a data breach.
An Identity Solution that Works for You
Does your organization handle credit card data, healthcare information, criminal records or other regulated data? SecureAuth can equip you with the solutions you need to meet compliance standards quickly and efficiently, all while ensuring your sensitive data remains secure. To learn more about how SecureAuth can help you, contact us on our website, or feel free to tweet me @StephenCoxSA.