Did you know that the Frequently Asked Questions (FAQ) resource on the PCI SSC website is updated regularly to address common questions the PCI SSC receives from stakeholders? This searchable tool includes a library of questions and answers on a variety of topics across PCI Security Standards and programs. In this blog series we highlight some of our most viewed FAQs.
Here we look at FAQ article 1449 on whether two-step authentication is acceptable for meeting PCI Data Security Standard (PCI DSS) Requirement 8.3 to secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication.
Two-step or multi-step authentication may be acceptable for PCI DSS v3.2 Requirement 8.3, if all of the following conditions are met:
1. The authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smartcard
- Something you are, such as a biometric.
2. The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.
Refer to the Information Supplement: Multi-Factor Authentication Guidance, available under Guidance Documents in the PCI SSC Document Library, for additional guidance and best practices.