New PCI multi-factor authentication rules: Is it too late?
The PCI (Payment Card Industry) Security Council has extended its requirements for multi-factor authentication to anyone who has access to credit card data. These requirements, which come on the heels of the European parliament adopting its revised Directive on Payment Services (PSD2) late last year, require strong authentication for all Internet transactions.
PSD2 also introduces strict security requirements for the initiation and processing of electronic payments and the protection of consumers' financial data.
One key change in PCI DSS (Data Security Standard) 3.2 includes "multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data".
"To offer some perspective, this requirement previously applied only to remote access from otherwise untrusted networks," explains Dale de Kok, system engineer, South Africa at RSA, the Security Division of EMC. "As these new changes to PCI DSS suggest, passwords alone simply do not pass muster in the online trenches of the Internet."
Technology leaders join forces to bring open acceleration framework to data centres, other markets
Indeed, as observed by PCI Security Standards Council CTO Troy Leach: "A password alone should not be enough to verify the administrator's identity and grant access to sensitive information. We've seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data."
This change in PCI DSS 3.2 also has specific implications for multi-factor authentication. According to Leach, the revision was made because, although the majority of connections continue to be remote, breach investigations and conversations undergone by the council had showed security could be better in local networks. This included the realisation that because payment networks are distributed and rely mostly on single-factor administrative access leveraged to gain access to the card data environment, there is not enough of what Leach terms "administrative oversight" available in organisations where an additional element of control through strong authentication would not be a positive development.
So, why exactly did this additional requirement take so long and what are the implications for PCI DSS 3.2, particularly around mobile authentication? After all, we are well on our way to becoming a mobile world, which means organisations will need to consider this as they add additional layers of security.
"While it may seem like the PCI Council is playing catch-up, it's just as true that all of the supporting infrastructure and virtual frameworks designed to satisfy those same standards have existed for quite some time. The only difference is that they are now required, albeit too late, according to some," concludes De Kok. "But, look at it another way; if organisations were already doing it, it would not have to be mandated. Ultimately, it is a good thing for organisations and consumers alike."
Networks Unlimited, a value-added distributor of converged technology, data centre, networking, and security technology solutions, distributes RSA products across 23 countries in Africa.
"It is estimated that 3.2 million South Africans shop online, with the majority being millennial customers. These consumers are set to spend nine billion rand online this year, according to study by Arthur Goldstuck of World Wide Worx," adds Anton Jacobsz, MD at Networks Unlimited. "For these consumers, it critical to have peace of mind that their details will not be used fraudulently, which makes the decision for an e-commerce business to comply to PCI DSS 3.2 an easy one."