Authentication and cryptography are two essential security controls that protect sensitive data and systems. Authentication helps verify who can access information, while cryptography protects data whether it is stored or transmitted over networks. Nearly every security measure depends on these two fundamental controls in some way. However, both authentication methods and cryptographic standards are constantly evolving, making it challenging for organizations to keep up with current best practices.
To help organizations navigate these changes, the PCI Security Standards Council (PCI SSC) has released two new guidance documents: Authentication Guidance and Cryptography Guidance.
Authentication Guidance
The Authentication Guidance document provides comprehensive information about different authentication methods, explaining which approaches represent best practices and considerations for implementing these methods.
The new guidance replaces the 2017 Multi-Factor Authentication (MFA) Guidance document and significantly expands the document’s scope. It now covers single-factor authentication methods in addition to multi-factor authentication, including newer approaches like phishing-resistant authentication.
The document includes specific guidance for meeting PCI DSS authentication requirements, featuring a helpful diagram that clarifies how to interpret the standard’s various authentication requirements. It also provides real-world scenarios to help organizations understand the difference between true multi-factor authentication and single-factor authentication.
Cryptography Guidance
The Cryptography Guidance document explains how to implement strong cryptography that meets requirements in the various PCI SSC standards. It covers important concepts like ‘dual control’ and ‘split knowledge,’ which ensure that no single person has complete access to cryptographic keys.
Appendices are provided to help with the assessment of any specific cryptographic implementation. These can help with the determination of whether an algorithm meets the requirements for strong cryptography, as well as how to consider the appropriate types of risk when implementing a cryptoperiod for keys used.
It is important to note that both documents serve as guidance only and are not to be considered mandatory requirements. When there are differences between the guidance and official PCI standards, the PCI standards always take precedence.
PCI SSC developed these documents in collaboration with industry stakeholders including the Global Executive Advisory Roundtable (GEAR) and the Board of Advisors (BOA). These guidance documents, now available in the PCI Document Library, represent PCI SSC’s commitment to helping organizations maintain strong security practices as authentication and cryptography technologies continue to evolve.
